anything

Author Topic: [email protected]  (Read 3799 times)

TGOSxx

  • Guest
I tried to register here several times, BTW, using different names and mail addresses, but there is never an activation mail, just in case someone cares (I resent some of them 20 times and disabled all spam filters upfront, no mail, nothing).

Okay, the idea behind this PM as Firefox ext. is pretty nice, but for my purpose it is totally useless. See, I use a couple of different logins for different sites. I don't have mio of logins, but about 20 or so - not one per side either. I want my browser to prefill my login. So I have to create custom settings with custom usernames per site, which is PITA enough to do (as specifying URLs is much more work than just using the internal password storage of Fx, that remembers password and username once I typed it for a page). Anyway, having to create on account per site would defeat any usefulness of this extension. In theory I could just create one account per username and sorting my pages to that, that is probably acceptable. But the problem with that is, that for custom accounts not the URL is used (nothing of the domain) but some static text I have to type there.

E.g. one many pages I log in with TGOS, so I create a custom account named TGOS and put TGOS there as username, then adding wildcards for all the sites where I use TGOS. However, since it does not use the domain for generating the hash, it will now generate exactly the same password for all these pages :/ This defeats the whole purpose of using such an extension, as if one page is hacked, all pages where I use TGOS are hacked. The domain is only used for the default account, but there I can only specify one of my 20 typical logins.

Thus I had to really create one account per page I log in. Quite PITA.

And the other thing is: What advantage gives me this ext. over the Fx password manager? I guess it's that I can have the secure password re-generated when not sitting in front of my computer without having to remember it, right? Well, but I need to remember the username I used for this page, the length of the password, the characters used, the l33t level, prefix or suffix (if any), counter (if any) and the hash algorithm, since all these can be custom by account. Don't you think remembering a long, secure password is actually easier than remembering all these settings?

So nice idea, but I'm afraid it only adds a damn lot of work and I need to remember much more than I need already and the security is questionable. You say it can defeat key loggers? Yes, it can, but whoever has a keylogger on my system probably has a full blown Trojan there and can get the PasswordMaker setup file as well. Having this file and logging my master password means all my accounts are hacked (unless I don't use the same master password everywhere, which again makes everything harder to remember).

Right now my tactics is to have a couple of passwords (30), some are simple, some are hard, depending on how secure the login needs to be, I choose a simpler or harder one (and also depending on the purpose of the page). If I now only remember what username I used and if it was a very secure one or not, I can easily know again which of these 30 passwords I used, since the purpose of the page has not changed (forum, shopping page, online banking, etc.) and here in the worst case a "category" of pages got hacked.

Offline quixin

  • Administrator
  • *****
  • Posts: 538
While it is true there can be a substantial amount of 'setup' time, once complete PASSWORDMAKER can be effortless.

Yes, you must create a new account for each user name you intend to use per site.  Yes there can be alot of settings that could be impossible to remember.

I have 60 accounts, all with different settings (e.g. length, leet level, character set, username etc.)  I don't remember the first setting other than my master password.  I do this by carrying a USB drive with a mobile version of FF and PWM.  I also keep a copy of my settings file on an FTP in the event I don't have my USB drive.  I still only need to remember my master password.  This is the genious of keeping all your settings in one file still without compromising security.

Other PWM users have different ways of going about taking their passwords with them.  Perhaps they will chime in here.

I propose you spend a little more time and thought before coming to a conclusion about PWM.  I've yet to see any other option that provides as much security as it does convenience.




TGOSxx

  • Guest
Where's then the advantage?
« Reply #2 on: July 10, 2008, 09:19:53 PM »
Quote
Yes, you must create a new account for each user name you intend to use per site.

I wouldn't have to, if custom accounts, other than the master account would not only allow me to enter a custom user name and provide wildcard/regex matches for which sides they shall apply, but would also use a similar mechanism like the main account to calculate the URL into the password, as then having one custom account per login would already be enough.

E.g. I could create one custom account per login, enter wildcards for all sites where I use this specific username login and still PasswordMaker would calculate a different login for each of these sites, as it uses the site name as well, and this will be different for different sites. If I then also use the same generation settings for each site, I can also remember that.

What you describe here is a way that gives me zero advantage over just using the build-in password capability, generate random passwords per site and hosting the Fx password profile encrypted on a FTP server. Then I don't need the whole extension at all.

Offline tanstaafl

  • Administrator
  • *****
  • Posts: 1361
Quote
I tried to register here several times, BTW, using different names and mail addresses, but there is never an activation mail, just in case someone cares (I resent some of them 20 times and disabled all spam filters upfront, no mail, nothing).
Maybe this had something to do with the forum problems we recently experienced... if so, our apologies. That said, there are a number of new subscribers 'awaiting activation'... what were 2 or 3 of the usernames you tried to register with?

Quote
I tried to register here several times, BTW, using different names and mail addresses, but there is never an activation mail, just in case someone cares (I resent some of them 20 times and disabled all spam filters upfront, no mail, nothing).
Actually, this is very similar to an existing Feature Request that was a result of this discussion I had with Kevin a long time ago, which also references this (shameless plug) long standing Feature Request of mine which would accomplish the same thing, albeit not in the way you asked for it...

Some interesting reading there...

Quote
So nice idea, but I'm afraid it only adds a damn lot of work and I need to remember much more than I need already and the security is questionable.
It really isn't that much work once you get your head around how it works... and it is *extremely* secure - *much* more secure than Firefox's password manager, which STORES the password in an easily discoverable way...

As for 'needing to remember much more...'... you apparently do not understand how it works. I haven't need to 'remember' anything beyond the 4 Master Passwords I use for a very, very long time. I'd no sooner give up PWM and go back to life without than I would Broadband... and if I had the choice between nothing and dial-up at home - well, I'd be doing a whole lot more reading, playing cards, doing gardening, etc, because I certainly wouldn't be spending time online.