General Questions

[JMM]

In theory this all sounds great. I have a couple of questions though, about how it works in practice.

1) What happens to my ability to get into websites Passwordmaker has protected - if I have a hard drive failure and have to reinstall from scratch? I know that a backuped hard drive is a good thing, but previous experience has taught me that this does not always work as it should.

2) I use several computers throughout the day, in several locations.  It sounds like the only way to access protected websites is to email myself a file and download it on each computer. Since some of the computers are public access ones, this raises security concerns for me.

3) Is there some way to view all the sites that are protected? not just the special sites (accounts?) but every website ever protected...and a list of passwords? I'm thinking of certain websites that are visited very infrequently, so much so that I may even forget that they are protected with PWM rather than my normal password system

[tanstaafl]

1) What happens to my ability to get into websites Passwordmaker has protected - if I have a hard drive failure and have to reinstall from scratch? I know that a backuped hard drive is a good thing, but previous experience has taught me that this does not always work as it should.

The only things that you need to be able to reproduce your passwords are:

a - your Master Password, and

b - the Settings used to create the password.

So, if you changed the PM settings to something other than the defaults (which is highly recommended for security), you will need to be able to reproduce these if you ever needed to reinstall PM.

The easiest thing to do is keep a backup of the PM RDF file, whcih is where the Settings are stored.

2) I use several computers throughout the day, in several locations. It sounds like the only way to access protected websites is to email myself a file and download it on each computer. Since some of the computers are public access ones, this raises security concerns for me.

Nothing to worry about, really... if it were me, I'd keep my RDF file on a secure FTP server so I could access it from wherever, then you could install PM, copy your RDF file over, use it, then delete the RDF file before you leave.

Alternatively, you could use the online version, although it doesn't support Custom Accounts, and would require you to know what Settings you used for each Account.

There is a plan to integrate synchronization between the online version and yours, but that is not available yet.

3) Is there some way to view all the sites that are protected? not just the special sites (accounts?) but every website ever protected...and a list of passwords?

No - PM doesn't store passwords anywhere (with the exception of the Master Password, if you tell it to). Account Passwords are always generated on the fly - nothing ever stored either in memory or on disk.

I'm thinking of certain websites that are visited very infrequently, so much so that I may even forget that they are protected with PWM rather than my normal password system

Again, all you'd need to be able to do is remember the Master Password used, and the Settings - and as long as you didn't lose your RDF file and didn't use different Master Passwords, that should be easy.

Personally, I use multiple Master Passwords, determined by what 'hat' I'm wearing - ie, a different Paster Password for each Client I work with, and one for my Personal Accounts.

[quixin]

Is there some way to view all the sites that are protected? not just the special sites (accounts?) but every website ever protected...and a list of passwords? I'm thinking of certain websites that are visited very infrequently, so much so that I may even forget that they are protected with PWM rather than my normal password system

The way to avoid this problem is always use PasswordMaker for each and every password and you will not have to worry about which sites uses it and which do not.  Otherwise, always create an account for the sites that use PasswordMaker that way if no account exist in your account settings, you know it doesnt use a PasswordMaker password.

PasswordMaker will only keep a list of the specific accounts you have created.  There will be no list or record of accounts used by default settings.

[Eric H. Jung]

Hi JMM,

What happens to my ability to get into websites Passwordmaker has protected - if I have a hard drive failure and have to reinstall from scratch? I know that a backuped hard drive is a good thing, but previous experience has taught me that this does not always work as it should.

We will shortly be offering server-side storage of passwordmaker.rdf as an option, instead of storing it on your hard-drive. You can do this yourself right now through email or FTP or some other means, but it's not integrated into PasswordMaker and so isn't very convenient.

[JJ]

Hi,

I have some similar newbie concerns before I install.  As I understand it, PasswordMaker will create a nonsense password for each URL that I will never see.  So my bank and Amazon.com, etc will have me registered as a user with my username and a nonsense password that I will never see.  So I will never be able to access any of these sites from any computer that doesn't have PasswordMaker installed, including any public access machine on which I don't have administrator privileges, or if I didn't happen to be carrying a copy of the RDF (?) file.  And if a situation arises where PasswordMaker becomes unavailable and I need to reinstall Firefox, I will never be able to log into any of my sites again.  And if I wanted to uninstall PasswordMaker for any reason, I would first have to visit each site and manually change the passwords to something I could remember if I ever wanted to log in in the future.

Correct?

[Guest]

Man, you really are looking at the world from its darkest corners.

But not everything is correct:
- Of course you can see the password, just open the extension's dialog.
- If the extension is not available, you can use an online service for password generation.
- Most sites have a process covering the lost-password-problem.

Now try looking at some positive effects of using PWM!

[Eric H. Jung]

Hi JJ,

You bring up valid questions, but perhaps your understanding of PasswordMaker isn't completely accurate. I'll try to help.

As I understand it, PasswordMaker will create a nonsense password for each URL that I will never see. So my bank and Amazon.com, etc will have me registered as a user with my username and a nonsense password that I will never see

No, you can always see the passwords. Go to Advanced Options->Global Settings Tab->uncheck Mask Generated Password with Asterisks. You can also check Show all passwords on web pages as clear text to see the passwords as PasswordMaker populates password fields for you.

So I will never be able to access any of these sites from any computer that doesn't have PasswordMaker installed, including any public access machine on which I don't have administrator privileges, or if I didn't happen to be carrying a copy of the RDF (?) file

No; there are other editions of PasswordMaker (e.g., the online version which you can even run on your own web server) which are available to you. There's also java and command-line versions almost finished, aside from IE and Konfabulator which we already have. Mobile phone edition is being worked on right now by Rishi.

And if I wanted to uninstall PasswordMaker for any reason, I would first have to visit each site and manually change the passwords to something I could remember if I ever wanted to log in in the future.

People have requested the ability to print out their passwords to a printer. If you think you'd like this feature, please vote for it in the Feature Request List.

Let us know if you have any other concerns.

Regards,
Eric

[JJ]

Hi,

Thanks for the replies.  Sorry to be so suspicious, but I've gone through the process of getting passwords and PINs before, and it can be a huge pain.  The fact that there is an online version available is very reassuring.

One more question:  Someone in this thread said that changing the default settings is highly recommended.  Everyone agrees?  Is there anywhere where this topic has been discussed?

Thanks again.

[Eric H. Jung]

Someone in this thread said that changing the default settings is highly recommended. Everyone agrees? Is there anywhere where this topic has been discussed?

I don't recall this topic being discussed in-depth. You must decide for yourself: most every choice in PasswordMaker is a choice between convenience and security. For example, if you choose to have the master password saved to disk, you are trading some security for convenience.

As for the default settings, by changing them you increase security (by obscurity) because if someone ever gets your master password, it's useless unless he literally guesses all of your settings. However, you are making things a little more inconvenient for youself because now you must remember those settings if you're ever at a public terminal and need to replicate your passwords using the online version.

If you have any suggestions on how to make this trade-off less painful, we'd like to hear them.

Best regards,
Eric