PasswordMaker Forums

Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension => Feature Requests / Enhancements => Topic started by: Gary Andrews on December 14, 2005, 09:22:38 PM

Title: Master Password
Post by: Gary Andrews on December 14, 2005, 09:22:38 PM

I need some help in understanding a concept which is being used by PasswordMaker.

Every time I start PasswordMaker it asks for the master password.   It seems that I don't have to save this password.  Additional it also appears that each time I start PasswordMaker I can give it a different master password and it still works.

Therefore it appears to me that someone could log on to my specific computer account (not an account which is password protected) and use PasswordMaker without having to know its master password.

Can anyone explain to me just how the master password concept works?

Thanks
Gary Andrews
[email protected]

Title: Master Password
Post by: tanstaafl on December 14, 2005, 09:40:23 PM

Hi Gary,

The Master Password is only one piece of the PasswordMaker utility. By itself, it doesn't do anything.

What you do is enter the Master Password, then use the password that PasswordMaker then generates *based* on it (and other things, like the URL of the website you are logging into, the username (if you use one), etc.

But, if you are asking this question, it sounds like you need to read the docs a bit to better understand how to use it, or you'll end up being very confused.

This is a power toy - not so complicated that pretty much anyone can't figure it out - but not so brain-dead simple that you won't have to read a bit.

That said, I'll be the first to tell you - it will be the best learning time you've spent in a long time if you do a lot online.

See the FAQ (http://passwordmaker.org/faq.html) for some questions and answers that will give you a quick/better understanding, and then the Manual (http://passwordmaker.org/help/introduction.xhtml) for a much more in depth description.

Welcome to the world of PasswordMaker - honestly, I could no more give it up than I could go back to dial-up!

Charles

Title: Master Password
Post by: Eric H. Jung on December 14, 2005, 10:51:18 PM

Hi Gary,

Another comment to add to tanstaafl's good points: even if anyone can enter a master password in your PasswordMaker installation, it's OK.  Unless they enter the same exact master password as you, none of the generated passwords will be the same!

Title: Master Password
Post by: Felipe on January 02, 2006, 01:08:54 PM

I think what the OP is trying to say, is that all someone needs to know is the users master password. All of the settings are saved, and when an intruder knows the master password, he can access all of the user's sensitive online data. Of course, without PWM, an intruder would not be able to easily crack the users passwords, but with PWM, the only ticket is the master password. A chain is only as strong as its weakest link. Here, the weakest link is the master password, a.k.a. the "one password to rule them all" (ripped off, but edited, from J.R.R. Tolkien's The Lord Of The Rings).:ass:

-Felipe

Quote

I need some help in understanding a concept which is being used by PasswordMaker.

Every time I start PasswordMaker it asks for the master password. It seems that I don't have to save this password. Additional it also appears that each time I start PasswordMaker I can give it a different master password and it still works.

Therefore it appears to me that someone could log on to my specific computer account (not an account which is password protected) and use PasswordMaker without having to know its master password.

Can anyone explain to me just how the master password concept works?

Thanks
Gary Andrews
[email protected]

Title: Master Password
Post by: Eric H. Jung on January 02, 2006, 02:59:31 PM

Quote

but with PWM, the only ticket is the master password.

Not neceesarily. You should password-protect your PC.

Title: Master Password
Post by: Felipe on January 03, 2006, 10:35:01 AM

You're right, and I do password protect my pc - but that's nothing to do with PWM.

To satisfy my curiosity (and to kill time) I did an experiement.

• I opened my yahoo email the "regular" way (without the aid of PWM)
• I changed my password for the account with a PWM generated password
• I saved all changes, re-booted my computer and logged onto my profile
• opened firefox
• went to yahoo mail
• entered my username
• pressed coolkey Alt + `
• entered my master password (twice)
• automatically logged me into my yahoo mail

Aside from the password needed to enter my computer, which has nothing to do with PWM in the first place, PWM didn't present any other barriers. An intruder would only require my master password to enter my yahoo mail (or any other password protected sites online).

Felipe

Title: Master Password
Post by: Eric H. Jung on January 03, 2006, 02:57:31 PM

Convenience always compromises security. The most secure password system is for you to generate a cryptographically secure random password for each and every website. But that's not very convenient, either, unless you have super-human memory capabilities.

PasswordMaker makes life a little more convenient while still maintaining some semblence of security. But as I said, convenience always compromises security--and not just in software.

Title: Master Password
Post by: Felipe on January 04, 2006, 07:41:50 PM

Well, all the perfect ingredients would need to come together almost simultaneously for an intruder to *crack* into passworded accounts.

• know which accounts to crack
• know the usernames
• have access to PWM (online version)
• have access to the users default PWM settings including (but not limited to), password length; portions of the URL (domain, sub-domain etc); user's hash algorithm
• have access to the *custom* PWM settings
• know the *victim's* master password

I agree what you said, Eric, about convenience compromising security. That nearly always seems to be the case. If people wanted *crack proof* security, they wouldn't get it for free! And they'd probably have to jump through hoops just to log in. All-in-all having PWM is better than not having it right?

Title: Master Password
Post by: tanstaafl on January 04, 2006, 08:28:55 PM

There's no such thing as 'perfect' security.

If a computer is connected to the internet, it is *always* vulnerable - it is just a matter of degrees.

Same for a computer based account. If it is online, it is vulnerable. Period.

At least with PWM, my accounts are very reasonably secure, and my own habits/practices play a large part in just *how* secure my accounts are. For example, I have my screensaver password protected, and it locks in 3 minutes. It is annoying sometimes, but I am more comfortable with the annoyance of having to unlock it on occasion than I am with the discomfort of walking away and forgetting to lock it and then realizing I left my office door unlocked while I was at lunch with my workstation unlocked.

The bottom line is, with PWM, and a reasonable amount of common sense, your online accounts are far safer *and* more easily accessible than they possibly could be otherwise.

Anyone seen this 'Portable Virtual Machine'? Kewl...

www.metropipe.net/ProductsPVPM.shtml

Title: Master Password
Post by: Eric H. Jung on January 05, 2006, 01:02:57 AM

Quote

Anyone seen this 'Portable Virtual Machine'? Kewl...

www.metropipe.net/ProductsPVPM.shtml

Cool. Why isn't it opensource?

Title: Master Password
Post by: Felipe on January 05, 2006, 01:48:34 PM

Quote

Quote

Anyone seen this 'Portable Virtual Machine'? Kewl...

www.metropipe.net/ProductsPVPM.shtml

Cool. Why isn't it opensource?

At the *very* bottom of the page you'll find:

Quote

Created from 100% Open Source GPL code and binaries.

Title: Master Password
Post by: Guest on January 05, 2006, 02:13:23 PM

When I first read that (created from 100% GPL...) I just took it to mean it IS GPL - but now I'm not so sure. I just emailed them to see.