PasswordMaker Forums
Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension => Help and Support => Topic started by: owlbebak on December 29, 2007, 11:58:23 PM
-
I have never noticed this before, but since I am out of town visiting relatives, I am using their computer and have just downloaded and installed PasswordMaker for Firefox and installed my rdf file from a pocket flashdrive and am using PWM successfully. But, I just have notice that even before entering my master password I can click the blue Advanced Options link and I can see all my accounts listed and the complete info on characters, password length,etc. I don't like this. Wouldn't it be possible to prevent this viewing access by forcing entry of the master password first? Or is there an option already I am not aware of?
I will definitely uninstall the PWM add-on before leaving for home!
-
And just discovered that the account info can be changed without entering a master password! I think there is a bug.
-
I am on a windows computer using firefox 2.0.0.11 and PWM 1.7.1
-
Currently there is no option for handling this.
-
Hi,
This is not a bug. This is the behavior by design. There is mathematically no chance that your passwords can be stolen even if someone can see all of your settings and/or passwordmaker.rdf file--providing they don't have the master password.
That is the whole *point* of PasswordMaker. All data is useless without the master password. That is why you are discouraged from saving the master password to disk.
-
The point is, others can edit his advance settings data. I think. But as there's two parts anyway...
-
If his point was that PasswordMaker should prevent the editing of settings without entering a password, my response would be: how would PasswordMaker prevent someone from editing the RDF file on the hard drive, completely bypassing PasswordMaker?
It strikes me that this should be handled at the file system level. Store your RDF file in a user directory, for instance, so that other users can't edit it, or keep it stored on a remote filesystem (e.g,. over FTP or WebDAV) or on a thumbdrive.
-
I just realized that you *still* can't control the location of the PasswordMaker settings file. Adding this ability will kill at least 3 birds with one stone:
1. Allows you to encrypt the settings file with a tool like http://www.truecrypt.org (http://www.truecrypt.org)
2. Prevents people from editing your settings file (if using a tool like TrueCrypt to encrypt it)
3. Prevents people from seeing your settings (again if using a tool like TrueCrypt)
4. Allows you to store the file on a USB drive for easier portability -- no need to copy the file from a USB drive (or FTP or WebDAV) to the local file system. If you store the TrueCrypt file on the USB drive, you get numbers 1-3, too.
I think this will be a big priority for me as soon as Firefox 3 compatibility is finished.
-
Since, in this situation I was using a relatives' computer and I have never noticed this aspect of PWM, it shocked me. I never thought of this info as being so easily accessible to prying eyes. On my personal computers I have the entire OS password protected which prevents easy access to my home directory and therefore PWM.
As the program existed now, a person can screw up the settings (which I just tested to see if possible) or simply export the data. The main rule I suppose, is to alway keep backups of your settings in multiply places.
Is it possible to have PWM have the import settings on the basic screen and then require the master password to be typed in before the account tab info is visible in the advanced settings?
Or to have the account tab protected by a global setting option similar to " hide master password field..."? But of course that protection would disappear once the browser was closed.... this is more complex than I first thought... I will have to think about this some more!
I have never considered where the account data is stored on the computer for PMW. At this stage I am just thinking about the casual prying eyes and not the experience hacker seeking the password data.
-
Since I will be returning home, I will uninstall the firefox PWM add-on from this relatives' computer. Will my account data also vanish or is it stored somewhere on the computer that I should deleted?
-
I just realized that you *still* can't control the location of the PasswordMaker settings file. Adding this ability will kill at least 3 birds with one stone:
1. Allows you to encrypt the settings file with a tool like http://www.truecrypt.org (http://www.truecrypt.org)
2. Prevents people from editing your settings file (if using a tool like TrueCrypt to encrypt it)
3. Prevents people from seeing your settings (again if using a tool like TrueCrypt)
4. Allows you to store the file on a USB drive for easier portability -- no need to copy the file from a USB drive (or FTP or WebDAV) to the local file system. If you store the TrueCrypt file on the USB drive, you get numbers 1-3, too.
I think this will be a big priority for me as soon as Firefox 3 compatibility is finished.
Good news... this is one I'd really like to see implemented... thanks!
-
Since I will be returning home, I will uninstall the firefox PWM add-on from this relatives' computer. Will my account data also vanish or is it stored somewhere on the computer that I should deleted?
Be sure to delete the .rdf file from their user profile. Uninstalling PWM does NOT delete the .rdf file.
Maybe it should? Not sure if it is even possible though.
-
The best thing to do for things like this is to keep a thumb drive with a portable version of FFox on it... this way you don't have to install or uninstall anything...
www.portableapps.com
-
Thanks tanstaafl,
I will give the PortableApps a try.
Another option I guess, when using a guest computer, is to create another temporary firefox profile and install the PWM and personal data to that. Then when leaving, just delete the temporary firefox profile.
If the guest computer already had PWM installed, wouldn't it be necessary to do this anyway in order to have my personal settings?
-
If the guest computer already had PWM installed, wouldn't it be necessary to do this anyway in order to have my personal settings?
Yep. Start firefox.exe with the "-profileManager" argument to manage profiles. But tanstaafl's PortableFirefox idea is the way to go when traveling, IMO.
-
I installed the portableapps program on my flashdrive and it works great! I will use this when I'm on a guest computer.
Thanks again for the tip tanstaafl.
-
ur welcome... :)
-
As a follow-up about portableApps, I also just read about a free program called mojopac found at mojopac.com. It is a virtual workspace that is similar to portableApps, but it creates an independent environment on the host computer and is run from usb devices and ipods, etc. I just installed it on my 2.5 usb harddrive and it is pretty cool. What is interesting is that I inserted my usb flashdrive where I had installed portableApps and it will run the portableApps program too! Check it out!
-
And they have a slow site...
-
Well, then, you might also be interested in this (Portable Virtual Privacy Machine):
http://www.metropipe.net/ppm.php
It isn't 'supported', and includes an older version of Firefox, but I don't see any reason you couldn't update it...
-
As a follow-up about portableApps, I also just read about a free program called mojopac found at mojopac.com. It is a virtual workspace that is similar to portableApps, but it creates an independent environment on the host computer and is run from usb devices and ipods, etc. I just installed it on my 2.5 usb harddrive and it is pretty cool. What is interesting is that I inserted my usb flashdrive where I had installed portableApps and it will run the portableApps program too! Check it out!
This looks really interesting. It looks like a portable windows VM. I wonder how they handle licensing issues with Microsoft; I run a number of VMWare instances (Windows), and each requires its own unique license and activation key. I'll have to try mojopac...
eric
-
It seems to use stuff from the host computer. I ran it on my home computer to find it had a moment where it 'choked' trying to set up Windows Messenger (as there's no trace of it on my computer). And the fact it ran IE7 even though it was set up to use IE6 (the Icon it has)
Don't think it's a true VM like you would use with VMWare.