What's the consensus here? Is it better to store on the hard drive or type it out each time? The thing that attracted me to this program in the first place is I did not like how other password programs stored lists of passwords on the hard drive.
This is a good question, but due to its nature, one that each person has to answer for themselves...
The fundamental question is one of convenience vs security...
When you store the MP (Master Password) on disk (or in memory), it is stored encrypted - but, because PM is open source, and because PM must be able to decrypt the MP, it would not be difficult for a cracker to write some code to steal your MP if they were able to install their code on your computer.
On the other hand, I have read some posts from people who claim that typing out the master pw makes you vulnerable to keyloggers.. So I'm kind of confused.
Understandable, but there are acceptable options, even for those super paranoid folks like us!
Yes, if your computer is compromised with a keylogger, the keylogger could grab your MP - but NOT your generated password(s), because they are not actually typed on your keyboard.
There are different ways to deal with these issues, but to give you some ideas...
One thing you can do - and I highly recommend that you do this, but give it some serious thought, and work out a system first - is to modify the Default Settings, and the settings for all of your Custom Accounts (ie, important financial accounts, etc) in such a way as it would be difficult to guess how you had modified them - but in such a way that you could reproduce these modifications if it became necessary. Even better, you could use different settings for different types of accounts (which is what I do) - one for unimportant accounts (like online forums, etc), and one for financial accounts.
Also, keep good backups of your RDF file.
Another way to add another layer of security is to develop a simple yet not easily guessable pattern of adding/replacing characters in your generated passwords that is stored in one place that crackers haven't figured out how to access yet - your head. For example, you could add a certain character (for example, the '$'), in the 3rd position of every generated password. So, when PM populates your password field, you'd have to place your mouse in the field, move the cursor to the 3rd position, and manually enter the '$' character.
Of course, this is also subject to being detected by keyloggers.
The fact is, the only truly secure computer is one that is not plugged into a wall socket. If your computer is compromised by a keylogger, then you have more serious problems you need to deal with.
I guess I'd ask the developers of this program... what do you do? Type it out or store it on the hard drive?
Although I'm not a developer, personally, I don't store mine at all. I use different MP's for different account types - in fact, I have 5 different ones, for different 'categories' of accounts. I sat down and figured out a system that I was comfortable with on how to categorize them, and it has worked well for me.
One other dumb question... the FAQ makes it clear... lose your password? Yes, you're screwed... wouldn't that also be the case if you somehow lose your settings?
Yep - which means don't lose them. Suggestions for recovering from a situation where you do lose them, in preferred (most secure) order:
1) modify the settings, but in such a way that you could reproduce the modifications from memory, and/or
2) write down the modifications you make, and put this information a safe place, or
3) don't modify the settings from the Defaults.
If you are truly paranoid, your head is the safest place (as long as you don't talk in your sleep and your wife/partner doesn't work for the NSA or the IRS or ...), and/or maybe in your Safety Deposit Box at your bank - although this information would be available to law enforcement if they knew about it. This is actually not a bad idea, for one reason: if you have secret stuff that your loved ones may need access to if something happens to you. This is actually something that has concerned me. My system is such that I can re-create these with ease from memory, but if something happened to me, no one would be able to get into my accounts. Now, I'm sorry to say, I don't have millions stashed away in a secret Panamanian bank, but seriously, if I did have anything of substance, I would do something like this so that my wife could get access to everything.