Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension > Tips And Tricks

How to make PWM save a custom password.

<< < (2/5) > >>

Eric H. Jung:

--- Quote ---For example:

    * My password is "secret"
    * I set the password length to 6, and Characters to "0123456789abcdef" (for this example)
    * The generated password is now "4c69ac". Because the "c" character is twice in the generated password, I need to change the modifier.
    * Now I enter "123456" in the modifier field, and the generated password becomes "f46db1". This is fine.
    * Now I replace "f" in the character field with "s". 4 with e, 6 with c, .....
    * The result is "0t23e5c789aecres", now the generated password is "secret".
--- End quote ---

I don't really understand how this gets around the problem you describe. Can you elaborate? FWIW, I think a better workaround is to lock your PC when you walk away from it; i.e., prevent access to your PC by unauthoized users in the first place.

wimh:

--- Quote from: Eric H. Jung ---FWIW, I think a better workaround is to lock your PC when you walk away from it; i.e., prevent access to your PC by unauthoized users in the first place.
--- End quote ---

I agree with that, but there are cases where that is not always possible.

To explain what I mean, enter the following in passwordmaker or the online version at http://passwordmaker.org/passwordmaker.html


--- Code: ---masterkey a
no leet
MD5 hash
domain passwordmaker.org
length 6
username b
modifier 123456
keys wtdfegcvxqzearbs
no prefix/suffix

--- End code ---

this generates the password from my example ("secret")

but only with the correct masterpassword.
without a masterpassword "ezcfvd" is generated.
with test as masterpw, "scazrw" is generated.

So this means nobody can find this password in any way without the masterpassword. So even if somebody steals my laptop, I don't have to worry about my password.

morguns:
i might be heading down a tangent here, but the point of passwordmaker is to generate passwords on the fly. i don't believe it was intended to be a password keeper program like keepass, password agent, etc., etc. it's great that eric has implemented functionality to help folks who want/need to use existing passwords, but the $64 question is: "should passwordmaker be a password _keeper_ in addition to what it currently is?" now back to your regularly scheduled program.... :)

Eric H. Jung:
OK, that's a neat trick, but I still don't understand how it solves the problem you pointed out. You wrote:


--- Quote ---Now with the right tools, the text in the password field can be read. Even passwordmaker itself is able to do this.
--- End quote ---
So even if I have a generated password that is a human-readable word or phrase, it can still be read when populated in websites with the right tools.

wimh:

--- Quote from: morguns ---it's great that eric has implemented functionality to help folks who want/need to use existing passwords, but the $64 question is: "should passwordmaker be a password _keeper_ in addition to what it currently is?"
--- End quote ---
Take a look at the FAQ "I want PasswordMaker to automatically populate webpage forms for me, but I don't want to change my password on some sites. Is PasswordMaker still a good choice?". The answer there is yes. So if this is considered a feature, then I think it must be used as secure as possible. This does not even require a software change.

I agree that a brute force attack to find the generated password becomes easier, but it is still pretty secure if used the right way. If you ever need to change the master password, you can use this technique too.


--- Quote from: Eric H. Jung ---OK, that's a neat trick, but I still don't understand how it solves the problem you pointed out.  You wrote:


--- Quote ---Now with the right tools, the text in the password field can be read. Even passwordmaker itself is able to do this.
--- End quote ---

So even if I have a generated password that is a human-readable word or phrase, it can still be read when populated in websites with the right tools.

--- End quote ---
I am not sure I understand what you mean (english is not my native language). But I will give an example:

* browse to [a href=\\\"http://www.web-log.nl/login.php\\\" target=\\\"_blank\\\"]http://www.web-log.nl/login.php[/a]


* Go to passwordmaker
* enter the master password
* show advanced options
* add a new account
* General: name = web-log.nl
* URLs: Add wildcard pattern *web-log.nl/*
* Advanced auto populate:
* click on the "Wachtwoord" field on the web page (field name and type becomes password)
* enter a password and press add
* press Ok and close passwordmaker


* now restart firefox, to pretent you are somebody else


* browse to [a href=\\\"http://www.web-log.nl/login.php\\\" target=\\\"_blank\\\"]http://www.web-log.nl/login.php[/a]
* Now the password in automatically filled (without anything asked)
* This means:
* * that person can use the side using my login
* * if I enter java script:alert(document.forms[1].elements[1].value); in the url bar, I can see the password (no space between java script)
* * If I go to the adv. autopopulate and click the "Wachtwoord" field, the password is shortly visible before it is changed into ******


* When you use the technique I explained, you would first need to enter the master password before the field is populated (asuming the master password is not saved on disk).My point is that if someone gets access to my pc (or passwordmaker.rdf), I don't want him to find my preset password. This is not neccesary a human-readable word, but it is just a password which is not generated.

If you only use generated passwords, you do not use this. But if there is a situation where you must use an existing password, then use this!

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version