Author Topic: Using accounts  (Read 6612 times)

Offline defaria

  • Jr. Member
  • **
  • Posts: 29
Using accounts
« on: April 29, 2009, 06:56:17 PM »
The guys here are so engaging, thoughtful and quick to respond I figured I'd try my hand at another question. This one's about Accounts. Perhaps I don't understand them that well. I thought that accounts could serve in those times when you go to a web site and use PasswordMaker to generate a password but the password doesn't conform to what the other site thinks is a good password or that they could handle. (Pet peave - passwords are mine - not your. Any characters to any (reasonable) length should be just fine! If I want to use "aaa" or "defaria" or "234jkcsfj#)*(#$*()@#%&" then I should be able to use it!). I thought you could then create an account and describe it such that whenever you come back to this site it would use this password or generate a password from this character set for this particular site. However in practice that doesn't seem to be happening.

An example: http://mint.com. I use this site and although it's financial in nature, mint.com is read only. Plus I want to be able to get to this site from my cell phone (and I haven't found an easy way to use PasswordMaker on my cell phone which runs Opera Mobile). So I'm just  using one of my "standard" passwords from my personal password scheme. I'd like to have PasswordMaker fill that in for me but when I go to the login page, PasswordMaker instead generates a password based on the mint.com url, which is not the correct password. This happens even though I made an account for mint.com.

I've set up my mint.com account in PasswordMaker by adding it and then going to the Advanced Auto Populate. I can click on the username field on the mint.com site and PasswordMaker fills in the fields for me so I type my username and click add. I do the same for password. Then I go back to the mint.com page (refreshing it - even starting it in a new tab) and my > 8 character password from my personal password scheme is not shown in the mint.com login page. Instead an 8 character, generated by PasswordMaker, password is inserted.

This has always bothered me especially for site where I need a password which has say no special characters due to restrictions at that site. Sure I can go to the account and then copy the generated password to the clipboard and paste it. But I would think that this should work automatically.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: Using accounts
« Reply #1 on: April 29, 2009, 09:27:00 PM »
The guys here are so engaging, thoughtful and quick to respond I figured I'd try my hand at another question. This one's about Accounts. Perhaps I don't understand them that well. I thought that accounts could serve in those times when you go to a web site and use PasswordMaker to generate a password but the password doesn't conform to what the other site thinks is a good password or that they could handle. (Pet peave - passwords are mine - not your. Any characters to any (reasonable) length should be just fine! If I want to use "aaa" or "defaria" or "234jkcsfj#)*(#$*()@#%&" then I should be able to use it!). I thought you could then create an account and describe it such that whenever you come back to this site it would use this password or generate a password from this character set for this particular site. However in practice that doesn't seem to be happening.

This is a correct understanding... the most likely problem is you are not adding the patterns correctly to allow PWM to recognize when it is on that site, and to use the Account Settings you have defined for it.

Read about URL Patterns here...

Note to Eric - the 'Pattern Help' button in PWM is not pointing to the correct link (above)...

Quote
An example: http://mint.com. I use this site and although it's financial in nature, mint.com is read only.

No idea what you mean by 'read only' in this context...

Quote
Plus I want to be able to get to this site from my cell phone (and I haven't found an easy way to use PasswordMaker on my cell phone which runs Opera Mobile). So I'm just  using one of my "standard" passwords from my personal password scheme. I'd like to have PasswordMaker fill that in for me but when I go to the login page, PasswordMaker instead generates a password based on the mint.com url, which is not the correct password. This happens even though I made an account for mint.com.

This means it is using the 'Defaults' settings, which means you need to set up the pattern(s) correctly per the above link...

Quote
I've set up my mint.com account in PasswordMaker by adding it and then going to the Advanced Auto Populate. I can click on the username field on the mint.com site and PasswordMaker fills in the fields for me so I type my username and click add. I do the same for password. Then I go back to the mint.com page (refreshing it - even starting it in a new tab) and my > 8 character password from my personal password scheme is not shown in the mint.com login page. Instead an 8 character, generated by PasswordMaker, password is inserted.

This has always bothered me especially for site where I need a password which has say no special characters due to restrictions at that site. Sure I can go to the account and then copy the generated password to the clipboard and paste it. But I would think that this should work automatically.

Once you get your head around how patterns work, all this should get cleared up for you...

Offline defaria

  • Jr. Member
  • **
  • Posts: 29
Re: Using accounts
« Reply #2 on: April 30, 2009, 01:48:20 AM »
I thought patterns were the key. I have no patterns at all. As you say, I didn't have my head wrapped around them yet. I'll read up and report back...

Re: Mint.com and read-only. If you do finances you should check out mint.com. It's pretty cool. It a site that pulls from your various banking web sites getting the data and presenting various reports and graphes, etc. It's sorta eliminates the need for Quicken (and moving from Windows -> Linux I'm looking at getting rid of things like Quicken). People are natrually concerned about security however as mint.com points out you cannot transfer funds from account 1 -> account 2 through mint. Mint has only effectively read only access to that data. So while I'd rather have a PasswordMaker password, I do want to have access to mint.com through my cell phone and I don't know of an easy way to get PasswordMaker working my phone's Opera Mobile browser...

Offline defaria

  • Jr. Member
  • **
  • Posts: 29
Re: Using accounts
« Reply #3 on: April 30, 2009, 03:20:37 AM »
Well that was actually quite simple. I understand regexs - I've been programming Perl now for some 10 years. What I didn't understand was that I need to enter a URL pattern in order to match the web page.  For some reason I thought that "Use the following text to calculate the generated password" usually prefilled with the domain name was enough to match web pages. I just needed to read deeper... like reading the "Activate auto-population when the URL of a webpage matches ony of the following patterns" and thinking for a second! Sorry to have bothered you. I should have done more homework before posting...

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: Using accounts
« Reply #4 on: April 30, 2009, 01:34:32 PM »
Just be absolutely sure that you understand the implications too.

I don't use regexes because I'm not a programmer, and wouldn't trust myself to get it right. For this reason, I use simple wildcard patterns. Since you said you were very familiar with regexes, I won't even go there... ;)

The problem with wildcard patterns is they are a 'contains' search. The reason this is critical is, if your pattern isn't done right, that account is subject to a phishing attack. Done right, it will protect you from phishing attacks...

Example...

using a simple wildcard pattern of:

*.example.com/* is vulnerable, because it will match on:

http://phishing.badsite.com/my.example.com/login.htm

I'll update the wiki to explain this vulnerability in more detail, since it isn't really clear enough imho...

Offline defaria

  • Jr. Member
  • **
  • Posts: 29
Re: Using accounts
« Reply #5 on: April 30, 2009, 03:27:22 PM »
1) You are way more paranoid than me!

2) I would notice a http://phishing.badsite.com/my.example.com/login.htm.

I'm like that. I've been on the net 24/7 since '98 - no A/V software, never, I repeat never gotten a virus nor been phished nor identity stolen. I also have listened to every episode of Security Now, for example. I am in the business, have been all my life, and in general, know what I'm doing. While an exploit like #2 could, in theory, get me I am not concerned with it getting me. Additionally I filter email with a spam filter of my own design (have been for years) such that I don't get spam, much less phishing attempts.

Everybody had different levels of paranoia, mine is very different from yours.

BTW: While I know regexs, patterns, which are really just a smaller class of regexs, are suffice for this.

sam

  • Guest
Re: Using accounts
« Reply #6 on: May 07, 2009, 01:31:35 AM »
I just discovered PasswordMaker the other day and this phishing vulnerability jumped out at me right away.  While I'm sure none of *us* would fall for such a phishing attack, the regular Joe out there is not as savvy.

The worst part is that your documentation sets the user up for failure.  First, you make the user feel safe from phishing attacks with this: http://passwordmaker.org/F.A.Q.#How_does_PasswordMaker_defeat_phishing_attacks.3F
Then, you lead the user to use poorly constructed wildcard url patterns like these: http://passwordmaker.org/Firefox/Mozilla/SeaMonkey/Flock/Netscape/Advanced#Advanced_Options:_URLs_Tab

You really need to fix your documentation so that you're not giving users a false sense of security from a very serious vulnerability that they are completely unprotected from.  Ideally, you would change your software in such a way that users can't construct unsafe patterns.  I can think of some ideas for doing that off the top of my head, so I'm sure you can too.

I have decided to use PWM because it's a pretty awesome tool despite it's shortcomings and, for the record, I will use regular expressions like this ^https?://[^/]*google.com/.*

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Re: Using accounts
« Reply #7 on: May 07, 2009, 01:39:23 AM »
You're right... but it is a wiki for a reason... feel free to make any changes you think appropriate...

PasswordMaker Forums

Re: Using accounts
« Reply #7 on: May 07, 2009, 01:39:23 AM »