Author Topic: Hide master password for command line version.  (Read 13527 times)

Offline jacannon

  • Normal Members
  • *
  • Posts: 2
Hide master password for command line version.
« on: May 02, 2006, 12:53:22 AM »
Can the command line version of passwordmaker be modified to include the option of manually/interactively entering the master password?

I was really glad to find a command line version of PasswordMaker!  When I went to use it I found that I had to enter the master password on the command line or store it in the rdf file.  (If there is a way around this, then let me know and the rest of the post is moot.)  I think storing your master password has been covered elsewhere in the forums.  However, entering the master password on the command line presents a couple of security problems on multiuser systems.

1) If command line entries are logged to a history file on the system (like .history, .sh_history, .bash_history, etc) the system administrator can determine your master password.  Of course, you could delete your history file or disable this feature (HISTSIZE=0), although this is not the default on Unix/Linux systems.

2) If another user on the system looked at the process table (ps) while the passwordmaker program was running, that user would have your master password as it is shown in the table as an argument to the running process.

There may be other issues that include backup software and system monitoring tools.  Anyway...

Maybe password maker could prompt the user for the password if "-m -" is entered or if "-m" is entered without an argument.

Something to think about.  I love passwordmaker!

Thanks!

J.

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Hide master password for command line version.
« Reply #1 on: May 02, 2006, 01:15:42 AM »
I think limitations of TCLAP may not allow using just '-m', but I'll look into that.

But I will do this, not using -m will prompt the Master Password (After all, the Firefox extension requires it for auto-populate anyway)

How slow must a computer be running to catch the process in the process table? The command-line version runs really quickly.

Heh, I been using Windows too much that I didn't think of that.
« Last Edit: May 02, 2006, 01:17:13 AM by miquelfire »
"I'm not drunk, just sleep deprived."

Offline jacannon

  • Normal Members
  • *
  • Posts: 2
Hide master password for command line version.
« Reply #2 on: May 02, 2006, 03:40:00 PM »
Quote from: miquelfire
But I will do this, not using -m will prompt the Master Password (After all, the Firefox extension requires it for auto-populate anyway)

Thanks!


Quote
How slow must a computer be running to catch the process in the process table? The command-line version runs really quickly.

It's not always a matter of speed.  One case would be pure luck.  Another case would be a dedicated attempt to gather information.  Like so:

while true
do
       ps -ef >> ps.haxor.log
done

J

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Hide master password for command line version.
« Reply #3 on: May 03, 2006, 02:11:48 AM »
Yea, I thought about the loop thing, but there's a good chance the person trying to use PasswordMaker CLI might noticed their box using too much resources (unless they're using SSH and/or on a host that normally slows down once in a while, like some sort of game/web server maybe)

This option will appear in 1.4.
"I'm not drunk, just sleep deprived."

PasswordMaker Forums

Hide master password for command line version.
« Reply #3 on: May 03, 2006, 02:11:48 AM »