PasswordMaker Forums
Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension => Tips And Tricks => Topic started by: quixin on September 19, 2005, 08:16:33 PM
-
MODIFIED BY TANSTAAFL ON 10/25/08 TO REFLECT THAT THIS IS OUTDATED
If you want to save a custom password, do so using the 'Advanced Auto-Populate' Tab functionality.
********************
Here is how to make PasswordMaker to save a specific custom password other than the ones it generates. - Create a new account (Advanced Options->Accounts tab->New Account)
- Put your current password in the Prefix field
- Change the Generated Password Length field to the length of your current password
Now PasswordMaker will store only whats in the prefix field for that accounts password. It doesn't matter what is entered in any other field. Not even the leet setting will have any effect.
I understand Eric will eventually put a new feature that will allow you to specify a custom password without having to do this work around.
Thanks,
quixin
-
Great tip, quixin!
I understand Eric will eventually put a new feature that will allow you to specify a custom password without having to do this work around.
Yes -- very soon.
By the way, you should be aware that password prefixes and suffixes aren't stored encrypted. They're plain text :( I will change that, too.
-
Here is how to make PasswordMaker to save a specific custom password other than the ones it generates. - Create a new account (Advanced Options->Accounts tab->New Account)
- Put your current password in the Prefix field
- Change the Generated Password Length field to the length of your current password
Now PasswordMaker will store only whats in the prefix field for that accounts password. It doesn't matter what is entered in any other field. Not even the leet setting will have any effect.
I understand Eric will eventually put a new feature that will allow you to specify a custom password without having to do this work around.
Thanks,
quixin
"Quixin,"
You can also split that password between the PreFix and the Suffix so if anyone is able to find one the other will still be an item that would need be searched for.
-
As discussed in Tips & Tricks - the short list (http://forums.passwordmaker.org/index.php?showtopic=378), this tip is now obsolete.
The way to solve this now is: Go to Account Settings->Advanced Auto-Populate and set "field type" to password
But I think both ways are insecure if you have physical access to the pc where this is stored. You can browse to the page where the password has to be entered, then populate the password field. This can be done without the master password, because it is not required to populate the password field. Now with the right tools, the text in the password field can be read. Even passwordmaker itself is able to do this.
I propose a different workaround:
- Create an account and go to the extended settings.
- Enter your favorite settings and set the correct password length.
- Now check the generated password.
- Enter random text in the Modifier field until the generated password contains only unique characters.
- Now you can map the characters to the required password.
For example:
- My password is "secret"
- I set the password length to 6, and Characters to "0123456789abcdef" (for this example)
- The generated password is now "4c69ac". Because the "c" character is twice in the generated password, I need to change the modifier.
- Now I enter "123456" in the modifier field, and the generated password becomes "f46db1". This is fine.
- Now I replace "f" in the character field with "s". 4 with e, 6 with c, .....
- The result is "0t23e5c789aecres", now the generated password is "secret".
With the wrong master password something random is generated.
This can be improved by changing the unused characters in random characters.
-
If there's a great enough want for this, I'll see about making a javascript function that can be used with PasswordMaker to create something like this.
-
For example:
* My password is "secret"
* I set the password length to 6, and Characters to "0123456789abcdef" (for this example)
* The generated password is now "4c69ac". Because the "c" character is twice in the generated password, I need to change the modifier.
* Now I enter "123456" in the modifier field, and the generated password becomes "f46db1". This is fine.
* Now I replace "f" in the character field with "s". 4 with e, 6 with c, .....
* The result is "0t23e5c789aecres", now the generated password is "secret".
I don't really understand how this gets around the problem you describe. Can you elaborate? FWIW, I think a better workaround is to lock your PC when you walk away from it; i.e., prevent access to your PC by unauthoized users in the first place.
-
FWIW, I think a better workaround is to lock your PC when you walk away from it; i.e., prevent access to your PC by unauthoized users in the first place.
I agree with that, but there are cases where that is not always possible.
To explain what I mean, enter the following in passwordmaker or the online version at http://passwordmaker.org/passwordmaker.html (http://passwordmaker.org/passwordmaker.html)
masterkey a
no leet
MD5 hash
domain passwordmaker.org
length 6
username b
modifier 123456
keys wtdfegcvxqzearbs
no prefix/suffix
this generates the password from my example ("secret")
but only with the correct masterpassword.
without a masterpassword "ezcfvd" is generated.
with test as masterpw, "scazrw" is generated.
So this means nobody can find this password in any way without the masterpassword. So even if somebody steals my laptop, I don't have to worry about my password.
-
i might be heading down a tangent here, but the point of passwordmaker is to generate passwords on the fly. i don't believe it was intended to be a password keeper program like keepass, password agent, etc., etc. it's great that eric has implemented functionality to help folks who want/need to use existing passwords, but the $64 question is: "should passwordmaker be a password _keeper_ in addition to what it currently is?" now back to your regularly scheduled program.... :)
-
OK, that's a neat trick, but I still don't understand how it solves the problem you pointed out. You wrote:
Now with the right tools, the text in the password field can be read. Even passwordmaker itself is able to do this.
So even if I have a generated password that is a human-readable word or phrase, it can still be read when populated in websites with the right tools.
-
it's great that eric has implemented functionality to help folks who want/need to use existing passwords, but the $64 question is: "should passwordmaker be a password _keeper_ in addition to what it currently is?"
Take a look at the FAQ "I want PasswordMaker to automatically populate webpage forms for me, but I don't want to change my password on some sites. Is PasswordMaker still a good choice?". The answer there is yes. So if this is considered a feature, then I think it must be used as secure as possible. This does not even require a software change.
I agree that a brute force attack to find the generated password becomes easier, but it is still pretty secure if used the right way. If you ever need to change the master password, you can use this technique too.
OK, that's a neat trick, but I still don't understand how it solves the problem you pointed out. You wrote:
Now with the right tools, the text in the password field can be read. Even passwordmaker itself is able to do this.
So even if I have a generated password that is a human-readable word or phrase, it can still be read when populated in websites with the right tools.
I am not sure I understand what you mean (english is not my native language). But I will give an example:
- browse to [a href=\\\"http://www.web-log.nl/login.php\\\" target=\\\"_blank\\\"]http://www.web-log.nl/login.php[/a]
- Go to passwordmaker
- enter the master password
- show advanced options
- add a new account
- General: name = web-log.nl
- URLs: Add wildcard pattern *web-log.nl/*
- Advanced auto populate:
- click on the "Wachtwoord" field on the web page (field name and type becomes password)
- enter a password and press add
- press Ok and close passwordmaker
- now restart firefox, to pretent you are somebody else
- browse to [a href=\\\"http://www.web-log.nl/login.php\\\" target=\\\"_blank\\\"]http://www.web-log.nl/login.php[/a]
- Now the password in automatically filled (without anything asked)
- This means:
- * that person can use the side using my login
- * if I enter java script:alert(document.forms[1].elements[1].value); in the url bar, I can see the password (no space between java script)
- * If I go to the adv. autopopulate and click the "Wachtwoord" field, the password is shortly visible before it is changed into ******
- When you use the technique I explained, you would first need to enter the master password before the field is populated (asuming the master password is not saved on disk).
My point is that if someone gets access to my pc (or passwordmaker.rdf), I don't want him to find my preset password. This is not neccesary a human-readable word, but it is just a password which is not generated.
If you only use generated passwords, you do not use this. But if there is a situation where you must use an existing password, then use this!
-
I *think* I understand what is being discussed, but if I do, it seems to me like it would be much better to just get the RDF file encrypted... that way, NO one can use your PWM without knowing the password used to encrypt it.
Personally, I know *I* wouldn't go to so much trouble just to keep from changing a password - it would be much simpler to just change it.
-
My comments shortly; I'm working on getting out PasswordMaker 1.6.1.
-
Try as I might, I have been unsuccessful in creating a changed password for one site only, leaving others all the same. Whatever I try either doesn't change the PW for the intended site, or changes them all. Is there a step by step procedure you can point me to?
Dave
-
i might be heading down a tangent here, but the point of passwordmaker is to generate passwords on the fly. i don't believe it was intended to be a password keeper program like keepass, password agent, etc., etc. it's great that eric has implemented functionality to help folks who want/need to use existing passwords, but the $64 question is: "should passwordmaker be a password _keeper_ in addition to what it currently is?" now back to your regularly scheduled program.... :)
Even @ this late date I am in COMPLETE agreement with you, "morguns," and would like to see this maintained as a, (if I may quote you?) "generate passwords on the fly" if you can keep the 'fly' still long enough. If there is any thought in the direction of being a 'password keeper' that should be a totally different extension and NOT interfere in any way, shape, form, look-a-like, et ceteras with the functionality of PassWordMaker in the form it is presently in. If this is even considered I may, for one speaking for me, change the way I generate my passwords.
If you consider this as 'putting my foot down' then that is my FINAL comment in this area, well on this topic anyway.
Thank you for reading my posty late toaster,
-
If there is any thought in the direction of being a 'password keeper' that should be a totally different extension and NOT interfere in any way, shape, form, look-a-like, et ceteras with the functionality of PassWordMaker in the form it is presently in.
Unfortunately, passwordmaker with autocomplete enabled interferes with firefox's built in password manager, there is no way to use them together, so if PM isn't going to re-implement this functionality there is no easy way of having it. Firefox encrypts your saved passwords on disk if you enter a master password, which gives a bit extra security against someone with physical access to your machine. PM doesn't currently do this for passwords saved with advanced auto-complete, and this hack mitigates that by at least requiring a master password before it enters a password on a web page. Personally I would like it if PM required the master password before doing anything, and maybe skipped autocompletion for pages that found a match in FF's password manager.
So this means nobody can find this password in any way without the masterpassword. So even if somebody steals my laptop, I don't have to worry about my password.
If you look closely, it doesn't really add any security beyond requiring the master password to auto-complete. If you follow the original example, you can see that the letters of "secret" appear out of place in the character list, allowing an attacker to know the characters used if not their order. Even with a random-ish password saved in this way it would make brute-forcing trivial. A human-readable password becomes simply an anagram. You should still be very worried if your laptop was stolen!
As Eric says, the best solution is not to allow physical access to your machine.
-
Meganox...
This Tip/Trick is outdated now, with the advent of the 'Advanced Auto-Populate' tab/functionality. I've modified to the first post to indicate this, and will add a new Tip/Trick later this weekend.
PM doesn't currently do this (encrypt passwords) for passwords saved with advanced auto-complete,
While true for passwords saved according to this Tip/Trick, again, it is moot.
If you want to save a 'current' password, use the 'Advanced Auto-Populate' tab, and save it there in a 'password' field type - this WILL be encrypted. Be aware though that only fields of type 'password' are encrypted, OTHER field types are not. I think Eric agrees that this is a shortcoming, but once the RDF file itself is capable of being encrypted, it will render this shortcoming moot.
-
No matter how you look at the different ways of generating or saving a password . . . the safest I feel is 'generation' with a MASTER password that is also encrypted and NOT saved on the 'HarDisc', in memory only. So it will need to be reentered on each restart.
Also, if I may(?), any tip/trick entered and has been made 'moot' by updates should either be removed or so noted by some method chosen by Admins to prevent confusion or misunderstanding. Maybe by entry of the version update that has replaced or made it not necessary.
-
Also, if I may(?), any tip/trick entered and has been made 'moot' by updates should either be removed or so noted by some method chosen by Admins to prevent confusion or misunderstanding. Maybe by entry of the version update that has replaced or made it not necessary.
I already do this on the Tips & Tricks - the short list (http://forums.passwordmaker.org/index.php/topic,378.0.html) post, that summarizes the current 'best of'...
-
Thank you, just attempting to keep these as short as possible.
-
If you want to save a 'current' password, use the 'Advanced Auto-Populate' tab, and save it there in a 'password' field type - this WILL be encrypted. Be aware though that only fields of type 'password' are encrypted, OTHER field types are not. I think Eric agrees that this is a shortcoming, but once the RDF file itself is capable of being encrypted, it will render this shortcoming moot.
I meant advanced auto-populate, and I was wrong about it not being encrypted :)
But it is not currently protected by the master password, i.e. it is auto-filled regardless, I hope this will be fixed when the rdf file gets encrypted.
-
If you want to save a 'current' password, use the 'Advanced Auto-Populate' tab, and save it there in a 'password' field type - this WILL be encrypted. Be aware though that only fields of type 'password' are encrypted, OTHER field types are not. I think Eric agrees that this is a shortcoming, but once the RDF file itself is capable of being encrypted, it will render this shortcoming moot.
But it is not currently protected by the master password, i.e. it is auto-filled regardless, I hope this will be fixed when the rdf file gets encrypted.
I don't save any passwords this way, but I don't think it populates it if you have saved the Master Password Hash - does it? If it does, then I think that certainly is a bug...
-
I believe if it's not controlled by the master password, it's populated.
-
I believe if it's not controlled by the master password, it's populated.
You are prompted for the master password but if you press cancel it fills in the password anyway, however Eric knows about this bug. I'm thinking if the whole rdf is encrypted the master password will be necessary to get any data whatsoever onto the page. I GPG encrypt my rdf when I take my laptop on the road and will set up encrypted partitions next time I reinstall my OS, so I'm not too worried about it at the moment.
-
I'm not particularly interested in encyrpting the RDF anymore since we've been recommending the use of TrueCrypt. Is there something I'm missing?
-
I'm not particularly interested in encyrpting the RDF anymore since we've been recommending the use of TrueCrypt. Is there something I'm missing?
Maybe the fact that grandma probably isn't intereste din using Truecrypt, and I'm not interested in having to force her to in order to be able to protet her RDF file.
I think pwm should be capable of encrypting the RDF file itself, and not force you to rely on a third party application to protect its settings.
Just mho...