anything

Author Topic: Matching defaults & preset profiles for online/offline editions of PasswordMaker  (Read 12628 times)

Offline teedog

  • Normal Members
  • *
  • Posts: 5
First of all, thank you for making this wonderful product and service.  Until the security and limited adoption issues with OpenID are resolved, I think PasswordMaker is the best password management solution that emulates a universal single sign-on system.

Problem:
One issue with PasswordMaker that worries me is the potential loss of all passwords created using PasswordMaker.  As the FAQ states, if I forget my master password, I'm out of luck.  However, the more troublesome case is if I forget the settings I used in PasswordMaker to generate passwords.  Was my password length 8 or 12?  Was the hash algorithm MD5 or SHA-256?  What was my "Use l33t" setting?  What was the "l33t level"?  What character set did I choose?  As I understand it, if I am mistaken about any of these settings, I will be unable to recreate my passwords even if I remember my master password.

The obvious solution for people who are afraid they'd forget the settings is to leave everything as is, not changing the default settings.  Unfortunately, this gives rise to another problem.  The default settings in the online edition and the Firefox extension edition of PasswordMaker are different.  Ex. default password length is 8 in Firefox and 12 online; default algorithm is MD5 in Firefox and SHA-256 online; online edition has the following character set but the Firefox edition does not:
Quote
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789

Suggestion:
The default settings should be identical in every edition of PasswordMaker.  Users should be warned that they are not to change the default settings unless they know what they're doing, and if they do change the settings, they had better remember them.

A further improvement would be to add preset profiles to every edition of PasswordMaker.  For example, a default profile may have settings that generate passwords that are compatible with most sites.  A "compatibility" profile may have settings that generate passwords that are guaranteed to work almost anywhere (no special characters, not too long, etc.).  A "secure" profile may have settings that generate passwords that are extra strong but might be rejected by some sites.  Again, these profiles must be identical across every edition of PasswordMaker.

This way, a user just has to remember his/her master password and settings profile.
« Last Edit: September 23, 2007, 12:08:57 AM by teedog »

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Hi teedog,

Welcome to the wonderful world of PasswordMaker! :)

Your concern is valid, but you might be interested in this thread, which discusses this very subject, although the initial question is about something different (the security risks of storing the master password on disk or in memory). It presents a very workable solution. It does take some forethought and planning, but it works. The original idea was not mine, but I adopted it and expanded it to my own needs...

Please feel free to ask questions, suggest alternatives - or maybe even a completely different nmethod that will be easier and work as well or better... I'm all for easier, myself - heh, thats why I use PasswordMaker... ;)

Offline teedog

  • Normal Members
  • *
  • Posts: 5
Are you referring to the following tips?
Quote
Quote
One other dumb question... the FAQ makes it clear... lose your password? Yes, you're screwed... wouldn't that also be the case if you somehow lose your settings?
Yep - which means don't lose them. Suggestions for recovering from a situation where you do lose them, in preferred (most secure) order:

1) modify the settings, but in such a way that you could reproduce the modifications from memory, and/or

2) write down the modifications you make, and put this information a safe place, or

3) don't modify the settings from the Defaults.

If you are truly paranoid, your head is the safest place (as long as you don't talk in your sleep and your wife/partner doesn't work for the NSA or the IRS or ...), and/or maybe in your Safety Deposit Box at your bank - although this information would be available to law enforcement if they knew about it. This is actually not a bad idea, for one reason: if you have secret stuff that your loved ones may need access to if something happens to you. This is actually something that has concerned me. My system is such that I can re-create these with ease from memory, but if something happened to me, no one would be able to get into my accounts. Now, I'm sorry to say, I don't have millions stashed away in a secret Panamanian bank, but seriously, if I did have anything of substance, I would do something like this so that my wife could get access to everything.
I definitely agree that 1) and 2) are fine for people who are confident in those methods, like yourself.  However, my point is that a lot of people might prefer to use default settings (like your 3rd point) or preset profiles.  The problem there is that the defaults in the Firefox extension are not the same as the defaults in the online form.  People might find themselves locked out of their accounts if they rely on the online edition and the fact that they used default settings.  They would have no idea how the settings in Firefox differ from those on the online edition.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Hmmmmm... I don't use the online version, but if you're right, then I agree, the online version should use the same Defaults - in fact, *all* versions should have the same Defaults...

Eric?

But, as to your last comment - they could always download the extension and see what the Defaults are, so its not like they would be lost forever - as long as it was the Defaults they were using. These have not changed in a long time, and I don't imagine they ever will precisely because it would break the Defaults for everyone who used them.


Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
The mismatch between default settings has been a recurring problem, and I don't really understand why. Various people, including myself, have made numerous attempts over the years to ensure the defaults are the same. If the defaults still don't match between the FF and online editions, can you please specify the settings that are different for you? Note that the online edition stores any changes you make in a cookie, so you have to delete the cookie to restore the original defaults.

Offline teedog

  • Normal Members
  • *
  • Posts: 5
The mismatches that I noticed over the weekend:

- default password length is 8 in Firefox and 12 online
- default algorithm is MD5 in Firefox and SHA-256 online
- online edition has the following character set but the Firefox edition does not:
Quote
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789

I'll look again when I find time.  Thanks for looking into this!

P.S. Perhaps add a "reset to defaults" function on every PasswordMaker edition if not multiple preset profiles?

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
The mismatches that I noticed over the weekend:

- default password length is 8 in Firefox and 12 online
- default algorithm is MD5 in Firefox and SHA-256 online
- online edition has the following character set but the Firefox edition does not:
Quote
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789

Ummmm....

What version of the extension are you using? It hasn't had these defaults for a very long time...

Offline teedog

  • Normal Members
  • *
  • Posts: 5
Ummmm....

What version of the extension are you using? It hasn't had these defaults for a very long time...
Fresh install of v1.7 beta 8.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Ok, well, this is weird...

I have confirmed that the defaults on a clean RDF file are as you described EXCEPT for the character set...

Here is how I see them in both (and I don't use the online version, so nothing would be cached):

Firefox 1.7b8:
Hash Alg: MD5
Length: 8
Character set: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`[email protected]#$%^&*()_-+={}|[]\:";'<>?,./

Online version:
Hash Alg: SHA-256
Length: 12
Character set: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`[email protected]#$%^&*()_-+={}|[]\:";'<>?,./

So the only difference between what you are reporting and what I'm seeing is the character set.

Which means, the difference I'm seeing between the online version and a fresh RDF in Firefox is the Hash Alg and the password length.

Eric?

Offline teedog

  • Normal Members
  • *
  • Posts: 5
Ah, you're correct about the character set.  What I was thinking about was that the online version had the following preset optional set but the Firefox extension does not have it (I can manually edit it so they match, obviously):
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789

In fact, I believe this character set would make a better default since some sites don't allow special characters in passwords.  If anything, perhaps the password length default can be lengthened to 15 or something.  I sincerely hope there aren't sites dumb enough to disallow long and strong passwords.

Anyway, cheers for making PM more user-friendly and working out-of-the-box!
« Last Edit: September 26, 2007, 10:02:56 PM by teedog »

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1154
  • Programmer
Re: Matching defaults & preset profiles for online/offline editions of PasswordM
« Reply #10 on: September 27, 2007, 12:06:42 AM »
I know of a site that need the character set abcdefghijklmnopqrstuvwxyz0123456789, and it silently (maybe it was changed) to convert a new password to lowercase (then hash it). And most bank sites don't allow special characters, but require a long password.
"I'm not drunk, just sleep deprived."

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: Matching defaults & preset profiles for online/offline editions of PasswordM
« Reply #11 on: September 27, 2007, 01:14:27 AM »
I know of a site that need the character set abcdefghijklmnopqrstuvwxyz0123456789,

Yeah, I have one of those myself (netzero)...

Quote
and it silently (maybe it was changed) to convert a new password to lowercase (then hash it).

? the sit backend silently converted it? Thats bad... I'd complain loudly, or not use that site (if that was an option)...

Quote
And most bank sites don't allow special characters, but require a long password.

I know, isn't that nuts? I mean, if you'd want to use a storng password *anywhere*, it would be a bank login...

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: Matching defaults & preset profiles for online/offline editions of PasswordM
« Reply #12 on: September 27, 2007, 01:16:24 AM »
Ah, you're correct about the character set.  What I was thinking about was that the online version had the following preset optional set but the Firefox extension does not have it (I can manually edit it so they match, obviously):
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789

Wierd again. I could have sworn that one was a preset, but you're right, I don't see it now.

Quote
In fact, I believe this character set would make a better default since some sites don't allow special characters in passwords.  If anything, perhaps the password length default can be lengthened to 15 or something.  I sincerely hope there aren't sites dumb enough to disallow long and strong passwords.

You'd be surprised at how many dumb sites there are out there...

PasswordMaker Forums

Re: Matching defaults & preset profiles for online/offline editions of PasswordM
« Reply #12 on: September 27, 2007, 01:16:24 AM »