PasswordMaker Forums

Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension => Feature Requests / Enhancements => Topic started by: ThePythonicCow on May 21, 2006, 07:40:53 AM

Title: Verify master password using disk saved hash
Post by: ThePythonicCow on May 21, 2006, 07:40:53 AM

I worry that someday I might set a new password on some new site I visit
using PasswordMaker with a Master Password that I typed in incorrectly.
This would leave me unable to recover that new sites password, since I
would probably not know what typing mistake I had in my Master Password.

So I use the Global Setting:
* Confirm master password by typing it twice instead of once.

If PWM could be asked to store a message digest (say sha256, its choice,
no need for this choice to be optional) of my Master Password on disk,
permanently, then it could verify after I had typed the password just once
that I had entered it correctly (that is, entered the same password from
which the sha256 digest was previously calculated) and I would only have
to enter my Master Password once - if I got it right.

Storing the plain text Master Password on my disk is less secure than I
I choose to do.  But storing its sha256 digest, just to verify that I had entered
it correctly the next time, is plenty secure enough for my purposes.

I guess this would be another Global Setting:
* Confirm master password with its disk saved cryptographic hash.

Then I'd just be asked to enter my Master Password once (unless I had
selected the "typing it twice" as well, for those really paranoid of making
typing mistakes here), and if what I entered had the right hash, I'd be
good to go.  If what I entered did not have the right hash, I'd be forced
to try typing it again.

The first time I entered my Master Password on a particular PC, or the
whenever I intentionally changed it, what I typed would of course not
match what hash (if any) was saved.  In that case, make me type it
twice, both times matching, with an option box to "Update disk saved
cryptocgraphic hash" in the password entry screen.

Thanks.


Aha - looks like you guys are way ahead of me - I found what I was describing,
as Master Password Verification.

Feel free to move my new feature request to whatever Done or Trash list is
most convenient.

Thanks!!

Title: Verify master password using disk saved hash
Post by: tanstaafl on May 22, 2006, 12:05:50 PM

Quote from: ThePythonicCow

Aha - looks like you guys are way ahead of me - I found what I was describing,
as Master Password Verification.

Feel free to move my new feature request to whatever Done or Trash list is
most convenient.

Thanks!!

Not necessary - but for future reference, the existing FR is located here (http://forums.passwordmaker.org/index.php?showtopic=710).

Title: Verify master password using disk saved hash
Post by: Eric H. Jung on May 23, 2006, 02:34:41 AM

By the way,

Quote

Storing the plain text Master Password on my disk is less secure than I
I choose to do.

Not sure what you mean here, but there is no way to store the Master Password on disk in plain text. If you choose to store it to disk, it is stored encrypted.