Author Topic: How to make PWM save a custom password.  (Read 875012 times)

Offline quixin

  • Hero Member
  • *****
  • Posts: 538
How to make PWM save a custom password.
« on: September 19, 2005, 08:16:33 PM »


MODIFIED BY TANSTAAFL ON 10/25/08 TO REFLECT THAT THIS IS OUTDATED

If you want to save a custom password, do so using the 'Advanced Auto-Populate' Tab functionality.

********************

Here is how to make PasswordMaker to save a specific custom password other than the ones it generates.  
  • Create a new account (Advanced Options->Accounts tab->New Account)
  • Put your current password in the Prefix field
  • Change the Generated Password Length field to the length of your current password
Now PasswordMaker will store only whats in the prefix field for that accounts password.  It doesn't matter what is entered in any other field.  Not even the leet setting will have any effect.

I understand Eric will eventually put a new feature that will allow you to specify a custom password without having to do this work around.

Thanks,

quixin
« Last Edit: October 25, 2008, 03:21:56 PM by tanstaafl »



Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
How to make PWM save a custom password.
« Reply #1 on: September 19, 2005, 08:22:45 PM »
Great tip, quixin!

Quote
I understand Eric will eventually put a new feature that will allow you to specify a custom password without having to do this work around.
Yes -- very soon.

By the way, you should be aware that password prefixes and suffixes aren't stored encrypted. They're plain text :(   I will change that, too.

LkonKbd

  • Guest
How to make PWM save a custom password.
« Reply #2 on: October 19, 2005, 12:21:49 AM »
Quote
Here is how to make PasswordMaker to save a specific custom password other than the ones it generates.  
  • Create a new account (Advanced Options->Accounts tab->New Account)
  • Put your current password in the Prefix field
  • Change the Generated Password Length field to the length of your current password
Now PasswordMaker will store only whats in the prefix field for that accounts password.  It doesn't matter what is entered in any other field.  Not even the leet setting will have any effect.

I understand Eric will eventually put a new feature that will allow you to specify a custom password without having to do this work around.

Thanks,

quixin
"Quixin,"

You can also split that password between the PreFix and the Suffix so if anyone is able to find one the other will still be an item that would need be searched for.

Offline wimh

  • Normal Members
  • *
  • Posts: 3
How to make PWM save a custom password.
« Reply #3 on: September 23, 2006, 11:55:03 PM »
As discussed in Tips & Tricks - the short list, this tip is now obsolete.

The way to solve this now is: Go to Account Settings->Advanced Auto-Populate and set "field type" to password

But I think both ways are insecure if you have physical access to the pc where this is stored. You can browse to the page where the password has to be entered, then populate the password field. This can be done without the master password, because it is not required to populate the password field. Now with the right tools, the text in the password field can be read. Even passwordmaker itself is able to do this.

I propose a different workaround:
  • Create an account and go to the extended settings.
  • Enter your favorite settings and set the correct password length.
  • Now check the generated password.
  • Enter random text in the Modifier field until the generated password contains only unique characters.
  • Now you can map the characters to the required password.
For example:
  • My password is "secret"
  • I set the password length to 6, and Characters to "0123456789abcdef" (for this example)
  • The generated password is now "4c69ac". Because the "c" character is twice in the generated password, I need to change the modifier.
  • Now I enter "123456" in the modifier field, and the generated password becomes "f46db1". This is fine.
  • Now I replace "f" in the character field with "s". 4 with e, 6 with c, .....
  • The result is "0t23e5c789aecres", now the generated password is "secret".
With the wrong master password something random is generated.
This can be improved by changing the unused characters in random characters.


Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
How to make PWM save a custom password.
« Reply #4 on: September 24, 2006, 01:55:46 AM »
If there's a great enough want for this, I'll see about making a javascript function that can be used with PasswordMaker to create something like this.
"I'm not drunk, just sleep deprived."

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
How to make PWM save a custom password.
« Reply #5 on: September 25, 2006, 03:53:47 PM »
Quote
For example:

    * My password is "secret"
    * I set the password length to 6, and Characters to "0123456789abcdef" (for this example)
    * The generated password is now "4c69ac". Because the "c" character is twice in the generated password, I need to change the modifier.
    * Now I enter "123456" in the modifier field, and the generated password becomes "f46db1". This is fine.
    * Now I replace "f" in the character field with "s". 4 with e, 6 with c, .....
    * The result is "0t23e5c789aecres", now the generated password is "secret".

I don't really understand how this gets around the problem you describe. Can you elaborate? FWIW, I think a better workaround is to lock your PC when you walk away from it; i.e., prevent access to your PC by unauthoized users in the first place.

Offline wimh

  • Normal Members
  • *
  • Posts: 3
How to make PWM save a custom password.
« Reply #6 on: September 25, 2006, 06:11:03 PM »
Quote from: Eric H. Jung
FWIW, I think a better workaround is to lock your PC when you walk away from it; i.e., prevent access to your PC by unauthoized users in the first place.

I agree with that, but there are cases where that is not always possible.

To explain what I mean, enter the following in passwordmaker or the online version at http://passwordmaker.org/passwordmaker.html

Code: [Select]
masterkey a
no leet
MD5 hash
domain passwordmaker.org
length 6
username b
modifier 123456
keys wtdfegcvxqzearbs
no prefix/suffix

this generates the password from my example ("secret")

but only with the correct masterpassword.
without a masterpassword "ezcfvd" is generated.
with test as masterpw, "scazrw" is generated.

So this means nobody can find this password in any way without the masterpassword. So even if somebody steals my laptop, I don't have to worry about my password.

Offline morguns

  • Full Member
  • ***
  • Posts: 145
How to make PWM save a custom password.
« Reply #7 on: September 26, 2006, 02:57:23 AM »
i might be heading down a tangent here, but the point of passwordmaker is to generate passwords on the fly. i don't believe it was intended to be a password keeper program like keepass, password agent, etc., etc. it's great that eric has implemented functionality to help folks who want/need to use existing passwords, but the $64 question is: "should passwordmaker be a password _keeper_ in addition to what it currently is?" now back to your regularly scheduled program.... :)

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
How to make PWM save a custom password.
« Reply #8 on: September 26, 2006, 03:40:46 AM »
OK, that's a neat trick, but I still don't understand how it solves the problem you pointed out. You wrote:

Quote
Now with the right tools, the text in the password field can be read. Even passwordmaker itself is able to do this.
So even if I have a generated password that is a human-readable word or phrase, it can still be read when populated in websites with the right tools.

Offline wimh

  • Normal Members
  • *
  • Posts: 3
How to make PWM save a custom password.
« Reply #9 on: September 26, 2006, 08:17:58 PM »
Quote from: morguns
it's great that eric has implemented functionality to help folks who want/need to use existing passwords, but the $64 question is: "should passwordmaker be a password _keeper_ in addition to what it currently is?"
Take a look at the FAQ "I want PasswordMaker to automatically populate webpage forms for me, but I don't want to change my password on some sites. Is PasswordMaker still a good choice?". The answer there is yes. So if this is considered a feature, then I think it must be used as secure as possible. This does not even require a software change.

I agree that a brute force attack to find the generated password becomes easier, but it is still pretty secure if used the right way. If you ever need to change the master password, you can use this technique too.

Quote from: Eric H. Jung
OK, that's a neat trick, but I still don't understand how it solves the problem you pointed out.  You wrote:

Quote
Now with the right tools, the text in the password field can be read. Even passwordmaker itself is able to do this.

So even if I have a generated password that is a human-readable word or phrase, it can still be read when populated in websites with the right tools.
I am not sure I understand what you mean (english is not my native language). But I will give an example:
  • browse to [a href=\\\"http://www.web-log.nl/login.php\\\" target=\\\"_blank\\\"]http://www.web-log.nl/login.php[/a]

  • Go to passwordmaker
  • enter the master password
  • show advanced options
  • add a new account
  • General: name = web-log.nl
  • URLs: Add wildcard pattern *web-log.nl/*
  • Advanced auto populate:
  • click on the "Wachtwoord" field on the web page (field name and type becomes password)
  • enter a password and press add
  • press Ok and close passwordmaker

  • now restart firefox, to pretent you are somebody else

  • browse to [a href=\\\"http://www.web-log.nl/login.php\\\" target=\\\"_blank\\\"]http://www.web-log.nl/login.php[/a]
  • Now the password in automatically filled (without anything asked)
  • This means:
  • * that person can use the side using my login
  • * if I enter java script:alert(document.forms[1].elements[1].value); in the url bar, I can see the password (no space between java script)
  • * If I go to the adv. autopopulate and click the "Wachtwoord" field, the password is shortly visible before it is changed into ******

  • When you use the technique I explained, you would first need to enter the master password before the field is populated (asuming the master password is not saved on disk).
My point is that if someone gets access to my pc (or passwordmaker.rdf), I don't want him to find my preset password. This is not neccesary a human-readable word, but it is just a password which is not generated.

If you only use generated passwords, you do not use this. But if there is a situation where you must use an existing password, then use this!

Offline tanstaafl

  • Moderator
  • *****
  • Posts: 1363
How to make PWM save a custom password.
« Reply #10 on: September 26, 2006, 08:32:15 PM »
I *think* I understand what is being discussed, but if I do, it seems to me like it would be much better to just get the RDF file encrypted... that way, NO one can use your PWM without knowing the password used to encrypt it.

Personally, I know *I* wouldn't go to so much trouble just to keep from changing a password - it would be much simpler to just change it.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
How to make PWM save a custom password.
« Reply #11 on: September 27, 2006, 12:19:18 AM »
My comments shortly; I'm working on getting out PasswordMaker 1.6.1.

Offline Dave

  • Normal Members
  • *
  • Posts: 5
Re: How to make PWM save a custom password.
« Reply #12 on: January 11, 2008, 02:56:42 PM »
Try as I might, I have been unsuccessful in creating a changed password for one site only, leaving others all the same.  Whatever I try either doesn't change the PW for the intended site, or changes them all.  Is there a step by step procedure you can point me to?
Dave

LkonKbd

  • Guest
Re: How to make PWM save a custom password.
« Reply #13 on: August 07, 2008, 01:23:31 AM »
i might be heading down a tangent here, but the point of passwordmaker is to generate passwords on the fly. i don't believe it was intended to be a password keeper program like keepass, password agent, etc., etc. it's great that eric has implemented functionality to help folks who want/need to use existing passwords, but the $64 question is: "should passwordmaker be a password _keeper_ in addition to what it currently is?" now back to your regularly scheduled program.... :)

Even @ this late date I am in COMPLETE agreement with you, "morguns," and would like to see this maintained as a, (if I may quote you?) "generate passwords on the fly" if you can keep the 'fly' still long enough.  If there is any thought in the direction of being a 'password keeper' that should be a totally different extension and NOT interfere in any way, shape, form, look-a-like, et ceteras with the functionality of PassWordMaker in the form it is presently in.  If this is even considered I may, for one speaking for me, change the way I generate my passwords.

If you consider this as 'putting my foot down' then that is my FINAL comment in this area, well on this topic anyway.

Thank you for reading my posty late toaster,

Offline meganox

  • Normal Members
  • *
  • Posts: 4
Re: How to make PWM save a custom password.
« Reply #14 on: October 25, 2008, 02:24:13 PM »
If there is any thought in the direction of being a 'password keeper' that should be a totally different extension and NOT interfere in any way, shape, form, look-a-like, et ceteras with the functionality of PassWordMaker in the form it is presently in. 

Unfortunately, passwordmaker with autocomplete enabled interferes with firefox's built in password manager, there is no way to use them together, so if PM isn't going to re-implement this functionality there is no easy way of having it.  Firefox encrypts your saved passwords on disk if you enter a master password, which gives a bit extra security against someone with physical access to your machine.  PM doesn't currently do this for passwords saved with advanced auto-complete, and this hack mitigates that by at least requiring a master password before it enters a password on a web page.  Personally I would like it if PM required the master password before doing anything, and maybe skipped autocompletion for pages that found a match in FF's password manager.

So this means nobody can find this password in any way without the masterpassword. So even if somebody steals my laptop, I don't have to worry about my password.

If you look closely, it doesn't really add any security beyond requiring the master password to auto-complete.  If you follow the original example, you can see that the letters of "secret" appear out of place in the character list, allowing an attacker to know the characters used if not their order.  Even with a random-ish password saved in this way it would make brute-forcing trivial.  A human-readable password becomes simply an anagram.  You should still be very worried if your laptop was stolen!

As Eric says, the best solution is not to allow physical access to your machine. 



PasswordMaker Forums

Re: How to make PWM save a custom password.
« Reply #14 on: October 25, 2008, 02:24:13 PM »