Author Topic: Safe for Firefox extensions? (Read 13664 times)

BHiko · « **on:** January 28, 2006, 11:15:40 AM »

How safe is the Passwordmaker for Firefox from attacks by other extensions?

An extension would have no difficulty in reading the contents of the passwordmaker.rdf file, it then only needs the master password.

Can an extension access Passwordmaker memory to obtain the master password?

tanstaafl · « **Reply #1 on:** January 28, 2006, 03:25:31 PM »

Excellent question, and one that I hadn't specifically thought of.

There is a Feature Request for this here, so please feel free to vote for it. Actually you have 5 votes, so please by all means peruse the many Feature Requests and vote for the ones that you'd most like to see added.

Shall I add one of your votes for this Feature?

Eric H. Jung · « **Reply #2 on:** January 28, 2006, 05:00:35 PM »

Hi BHiko,

We should probably move this post to the Help and Support forum (it's not exactly a Tip/Trick).

Quote

How safe is the Passwordmaker for Firefox from attacks by other extensions?

No extension is safe from another extension. They all run in "privileged" mode.

Quote

Can an extension access Passwordmaker memory to obtain the master password?

The master password is stored encrypted in memory, so this is unlikely but not impossible.

You should always be careful of the extensions you install. It is no different than installing an executable on your machine. The source must be trusted. Never install an extension from anywhere other than http://addons.mozilla.org. Mozilla screens extensions to make sure they aren't malicious.

-Eric

Eric H. Jung · « **Reply #3 on:** January 28, 2006, 05:13:47 PM »

p.s. this is one reason why I always say the best security (but most inconvenient) is Store Master Password - Not At All. The master password cannot be stolen in this case because it is never stored. After the user types it, the mpw is set in local variables only, and those variables are deleted and nulled before the functions which define them return.

BHiko · « **Reply #4 on:** January 28, 2006, 06:12:38 PM »

A secure scheme might be to:

use Store Master Password - Not At All
use the built in Firefox autocomplete and/or cookies for non-critical sites
use PasswordMaker each time for sites with a financial risk (where a login can yield a payment), do not have Firefox remember the password in this case.

This way,

you don't have to fill in the Master Password too often: only for generation and for financial sites
you keep it as secure as possible

tanstaafl · « **Reply #5 on:** January 29, 2006, 12:36:01 AM »

I like the 'Store in Memory' option - it is the best of both worlds imnsho...

As Eric said, it is stored encrypted in memory, so it is secure... and this way you only have to enter it occasionally.

I still like the idea of encrypting the rdf file though...

Eric H. Jung · « **Reply #6 on:** January 29, 2006, 10:13:11 PM »

Quote

I like the 'Store in Memory' option - it is the best of both worlds imnsho...As Eric said, it is stored encrypted in memory, so it is secure

Yes, it is stored encrypted in memory, but a diligent hacker can reverse-engineer the PasswordMaker source to find how to decrypt it: remember, PasswordMaker itself needs the ability to decrypt it on-the-fly so the decryption logic does exist in the source. Once again, I emphasize the use of Store Master Password - Not At All for total security.

Guest · « **Reply #7 on:** May 04, 2006, 05:50:33 AM »

Hi,
Being skeptical of a 3rd party downloads all the time, is there a way to verify that this extension does not in anyway transmit the master password to anywhere else whenever we are online. It is by no means to disgrace Eric but I just want to be sure..

morguns · « **Reply #8 on:** May 05, 2006, 02:34:22 AM »

Quote

Being skeptical of a 3rd party downloads all the time, is there a way to verify that this extension does not in anyway transmit the master password to anywhere else whenever we are online. It is by no means to disgrace Eric but I just want to be sure..

absolutely! the code is completely open source :)

yyhhcc · « **Reply #9 on:** May 05, 2006, 06:19:14 AM »

Ok..Thanks.. Just realised the benefits of being 'open source' after some ''googling''.. I'm using it now with my IE..

yyhhcc · « **Reply #10 on:** August 14, 2006, 11:49:39 AM »

After weeks of smooth usage, I am hit with this error now after running a batch of Windows Updates..

Line 200
Char 3
Error : Permission Denied
Code 0

Is there anything that I can do to recover the tool?

Eric H. Jung · « **Reply #11 on:** August 15, 2006, 02:45:55 AM »

Which edition are you using? IE? Firefox? Something else?

yyhhcc · « **Reply #12 on:** September 19, 2006, 05:50:22 AM »

Hi Eric, is IE.

I could open the 'Open Passwordmaker' option but not the 'Populate with Passwordmaker' option. The late gives the error described above.

Eric H. Jung · « **Reply #13 on:** September 19, 2006, 12:11:39 PM »

Please switch to the Firefox edition? You haven't posted in a month so it sounds like you don't really use PasswordMaker frequently.

yyhhcc · « **Reply #14 on:** September 22, 2006, 05:30:09 AM »

Hi Eric,
No, not really. I am using your IE version of the passwordmaker everyday as I have plenty of online programmes/forums to visit daily. Reason why I responded late is mainly becoz I make use of the 'Open PasswordMaker' option since then albeit a little inconvenient (have to manually cut and paste the password back into the website that I intend to login).

I've been using IE since years back and hopefully you would be kind enough to provide a patch for the IE version of your wonderful tool. I seriously hope that I don't have to switch to firefox..

Thanks.

PasswordMaker Forums · « **Reply #14 on:** September 22, 2006, 05:30:09 AM »

Author Topic: Safe for Firefox extensions? (Read 13664 times)

Guest

PasswordMaker Forums