PasswordMaker Forums

Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension => Help and Support => Topic started by: niteflytes on April 07, 2007, 06:23:20 PM

Title: Am I missing the point?
Post by: niteflytes on April 07, 2007, 06:23:20 PM
I feel like I'm not fully understanding how PM is better than having a list of user names and passwords stored in a password protected Excel file or some other password protected PW manager. Either way, if someone discovers my master PW they have access to all of my accounts, don't they?

I understand that someone can't just download PM onto their computer (or use the online version), use my master password and, without knowing all of my other default settings, generate my passwords. But...if someone were to hack my master password AND have my rtf file, or gain access to my computer and put my master PW into my PM Firefox extension they would be able to generate all of my passwords, wouldn't they?

If I'm missing something, someone please explain what it is. Thanks!!!
Title: Am I missing the point?
Post by: tanstaafl on April 07, 2007, 10:09:32 PM
Quote from: niteflytes
I feel like I'm not fully understanding how PM is better than having a list of user names and passwords stored in a password protected Excel file
I can crack a password protected excel file in no time.

Quote
or some other password protected PW manager. Either way, if someone discovers my master PW they have access to all of my accounts, don't they?
In order to have access to all of your accounts, they would have to have both your MPW *and* your RDF file.

Quote
I understand that someone can't just download PM onto their computer (or use the online version), use my master password and, without knowing all of my other default settings, generate my passwords. But...if someone were to hack my master password AND have my rtf file, or gain access to my computer and put my master PW into my PM Firefox extension they would be able to generate all of my passwords, wouldn't they?
Yes... but I'm afraid I don't quite get your concern. If your computer is compromised, it is compromised.

Quote
If I'm missing something, someone please explain what it is. Thanks!!!
There may be a few things you have not considered...

1. PWM does not 'store' your passwords, it generates them on the fly,

2. PWM will auto-input them, making it very simple and easy to log in securely to your online accounts,

3. There are certain 'tricks' you can use to add infinitely more security to your usage of PWM.

In reference to #3, consider this...

You have a bunch of accounts in PWM. You have them in different groups, organized by importance (Financial acounts, ISP/email accounts, web forums, etc).

What if you came up with your own little algorithm that you used with your passwords, wherein you modifed each password that PWM generated before actually logging into the site.

For example, you could always add a '1'  to the beginning of the password, a '2' in the middle, and a '3' at the end.

Or, you could always delete the first and last characters.

Or any infinite number of variations on the above.

You could even have different ways of modifying them, based on the account name, or the group it was in, or both, or... well, hopefully you get the idea by now...



The fact is, PWM, intelligently used, is far more secure than anything else you have ever used, or most likely will ever use.
Title: Am I missing the point?
Post by: niteflytes on April 08, 2007, 12:29:19 AM
Thanks. The more I read about PM and experiment with it the better I'm understanding it. I especially like your tricks to add more security.

Quote from: tanstaafl
I can crack a password protected excel file in no time.
In order to have access to all of your accounts, they would have to have both your MPW *and* your RDF file.
Yes... but I'm afraid I don't quite get your concern. If your computer is compromised, it is compromised.
There may be a few things you have not considered...

1. PWM does not 'store' your passwords, it generates them on the fly,

2. PWM will auto-input them, making it very simple and easy to log in securely to your online accounts,

3. There are certain 'tricks' you can use to add infinitely more security to your usage of PWM.

In reference to #3, consider this...

You have a bunch of accounts in PWM. You have them in different groups, organized by importance (Financial acounts, ISP/email accounts, web forums, etc).

What if you came up with your own little algorithm that you used with your passwords, wherein you modifed each password that PWM generated before actually logging into the site.

For example, you could always add a '1'  to the beginning of the password, a '2' in the middle, and a '3' at the end.

Or, you could always delete the first and last characters.

Or any infinite number of variations on the above.

You could even have different ways of modifying them, based on the account name, or the group it was in, or both, or... well, hopefully you get the idea by now...



The fact is, PWM, intelligently used, is far more secure than anything else you have ever used, or most likely will ever use.
Title: Am I missing the point?
Post by: sailinship on May 02, 2007, 04:58:29 PM
"1. PWM does not 'store' your passwords, it generates them on the fly,"

Does that mean that they are made each time by use of the algorithm/url combination?


"3. There are certain 'tricks' you can use to add infinitely more security to your usage of PWM.

In reference to #3, consider this...

You have a bunch of accounts in PWM. You have them in different groups, organized by importance (Financial acounts, ISP/email accounts, web forums, etc).

What if you came up with your own little algorithm that you used with your passwords, wherein you modifed each password that PWM generated before actually logging into the site.

For example, you could always add a '1'  to the beginning of the password, a '2' in the middle, and a '3' at the end."

Are you saying to add these #'s in after the password is in the PW field. So if I auto populate, and see a bunch of asterisks I add some characters?

Title: Am I missing the point?
Post by: Miquel 'Fire' Burns on May 02, 2007, 05:11:04 PM
Yes to both.