Author Topic: Visiblity of accounts in advanced option mode  (Read 15446 times)

Offline owlbebak

  • Jr. Member
  • **
  • Posts: 16
Visiblity of accounts in advanced option mode
« on: December 29, 2007, 11:58:23 PM »
I have never noticed this before, but since I am  out of town visiting relatives, I am using their computer and have just downloaded and installed PasswordMaker for Firefox and installed my rdf file from a pocket flashdrive and am using PWM successfully. But, I just have notice that even before entering my master password I can click the blue Advanced Options link and I can see all my accounts listed and the complete info on characters, password length,etc.  I don't like this. Wouldn't it be possible to prevent this viewing access by forcing entry of the master password first? Or is there an option already I am not aware of?

I will definitely uninstall the PWM add-on before leaving for home!

Offline owlbebak

  • Jr. Member
  • **
  • Posts: 16
Re: Visiblity of accounts in advanced option mode
« Reply #1 on: December 30, 2007, 12:07:30 AM »
And just discovered that the account info can be changed without entering a master password! I think there is a bug.

Offline owlbebak

  • Jr. Member
  • **
  • Posts: 16
Re: Visiblity of accounts in advanced option mode
« Reply #2 on: December 30, 2007, 12:15:43 AM »
I am on a windows computer using firefox 2.0.0.11 and PWM 1.7.1

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Re: Visiblity of accounts in advanced option mode
« Reply #3 on: December 30, 2007, 01:39:49 AM »
Currently there is no option for handling this.
"I'm not drunk, just sleep deprived."

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Re: Visiblity of accounts in advanced option mode
« Reply #4 on: December 30, 2007, 01:44:44 AM »
Hi,

This is not a bug. This is the behavior by design. There is mathematically no chance that your passwords can be stolen even if someone can see all of your settings and/or passwordmaker.rdf file--providing they don't have the master password.

That is the whole *point* of PasswordMaker. All data is useless without the master password. That is why you are discouraged from saving the master password to disk.

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Re: Visiblity of accounts in advanced option mode
« Reply #5 on: December 30, 2007, 02:47:23 AM »
The point is, others can edit his advance settings data. I think. But as there's two parts anyway...
"I'm not drunk, just sleep deprived."

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Re: Visiblity of accounts in advanced option mode
« Reply #6 on: December 30, 2007, 04:24:32 AM »
If his point was that  PasswordMaker should prevent the editing of settings without entering a password, my response would be: how would PasswordMaker prevent someone from editing the RDF file on the hard drive, completely bypassing PasswordMaker?

It strikes me that this should be handled at the file system level. Store your RDF file in a user directory, for instance, so that other users can't edit it, or keep it stored on a remote filesystem (e.g,. over FTP or WebDAV) or on a thumbdrive.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Re: Visiblity of accounts in advanced option mode
« Reply #7 on: December 30, 2007, 04:44:52 AM »
I just realized that you *still* can't control the location of the PasswordMaker settings file. Adding this ability will kill at least 3 birds with one stone:

1. Allows you to encrypt the settings file with a tool like http://www.truecrypt.org
2. Prevents people from editing your settings file (if using a tool like TrueCrypt to encrypt it)
3. Prevents people from seeing your settings (again if using a tool like TrueCrypt)
4. Allows you to store the file on a USB drive for easier portability -- no need to copy the file from a USB drive (or FTP or WebDAV) to the local file system. If you store the TrueCrypt file on the USB drive, you get numbers 1-3, too.

I think this will be a big priority for me as soon as Firefox 3 compatibility is finished.

Offline owlbebak

  • Jr. Member
  • **
  • Posts: 16
Re: Visiblity of accounts in advanced option mode
« Reply #8 on: December 30, 2007, 05:05:18 AM »
Since, in this situation I was using a relatives' computer and I have never noticed this aspect of PWM, it shocked me. I never thought of this info as being so easily accessible to  prying eyes. On my personal computers I have the entire OS password protected which prevents easy access to my home directory and therefore PWM.

As the program existed now, a person can screw up the settings (which I just tested to see if possible) or simply export the data. The main rule I suppose, is to alway keep backups of your settings in multiply places.

Is it possible to have PWM have the import settings  on the basic screen and then require the master password to be  typed in before the account tab info is visible in the advanced settings?

Or to have the account tab protected by a global setting option similar to " hide master password field..."? But of course that protection would disappear once the browser was closed.... this is more complex than I first thought... I will have to think about this some more!

I have never considered where the account data is stored on the computer for PMW. At this stage I am just thinking about the casual prying eyes and not the experience hacker seeking the password data.

Offline owlbebak

  • Jr. Member
  • **
  • Posts: 16
Re: Visiblity of accounts in advanced option mode
« Reply #9 on: December 30, 2007, 05:19:02 AM »
Since I will be returning home, I will uninstall the firefox PWM add-on from this relatives' computer. Will my account data also vanish or is it stored somewhere on the computer that I should deleted?

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: Visiblity of accounts in advanced option mode
« Reply #10 on: December 30, 2007, 02:06:41 PM »
I just realized that you *still* can't control the location of the PasswordMaker settings file. Adding this ability will kill at least 3 birds with one stone:

1. Allows you to encrypt the settings file with a tool like http://www.truecrypt.org
2. Prevents people from editing your settings file (if using a tool like TrueCrypt to encrypt it)
3. Prevents people from seeing your settings (again if using a tool like TrueCrypt)
4. Allows you to store the file on a USB drive for easier portability -- no need to copy the file from a USB drive (or FTP or WebDAV) to the local file system. If you store the TrueCrypt file on the USB drive, you get numbers 1-3, too.

I think this will be a big priority for me as soon as Firefox 3 compatibility is finished.

Good news... this is one I'd really like to see implemented... thanks!

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: Visiblity of accounts in advanced option mode
« Reply #11 on: December 30, 2007, 02:07:57 PM »
Since I will be returning home, I will uninstall the firefox PWM add-on from this relatives' computer. Will my account data also vanish or is it stored somewhere on the computer that I should deleted?

Be sure to delete the .rdf file from their user profile. Uninstalling PWM does NOT delete the .rdf file.

Maybe it should? Not sure if it is even possible though.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: Visiblity of accounts in advanced option mode
« Reply #12 on: December 30, 2007, 02:09:23 PM »
The best thing to do for things like this is to keep a thumb drive with a portable version of FFox on it... this way you don't have to install or uninstall anything...

www.portableapps.com

Offline owlbebak

  • Jr. Member
  • **
  • Posts: 16
Re: Visiblity of accounts in advanced option mode
« Reply #13 on: December 30, 2007, 03:36:14 PM »
Thanks tanstaafl,

I will give the PortableApps a try.


Another option I guess, when using a guest computer, is to create another temporary firefox profile and install the PWM and personal data to that. Then when leaving, just delete the temporary firefox profile.

If the guest computer already had PWM  installed, wouldn't it be necessary to do this anyway in order to have my personal settings?



 
« Last Edit: December 30, 2007, 03:45:23 PM by owlbebak »

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Re: Visiblity of accounts in advanced option mode
« Reply #14 on: December 30, 2007, 04:19:50 PM »
If the guest computer already had PWM  installed, wouldn't it be necessary to do this anyway in order to have my personal settings?

Yep. Start firefox.exe with the "-profileManager" argument to manage profiles. But tanstaafl's PortableFirefox idea is the way to go when traveling, IMO.

PasswordMaker Forums

Re: Visiblity of accounts in advanced option mode
« Reply #14 on: December 30, 2007, 04:19:50 PM »