Author Topic: Defaults used for MasterPassWord?  (Read 17249 times)

LkonKbd

  • Guest
Defaults used for MasterPassWord?
« on: October 08, 2005, 09:24:10 PM »
So many questions, which one to ask first?

What is used for creating the MasterPassWord for PassWordMaker?

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Defaults used for MasterPassWord?
« Reply #1 on: October 08, 2005, 11:26:04 PM »
Ask them all! If they're interesting enough, we'll add them to the FAQ.

Quote
What is used for creating the MasterPassWord for PassWordMaker?
I don't really undersatnd this question! Can you rephrase it? As far as I know, you create the master password!

Best Regards,
Eric

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Defaults used for MasterPassWord?
« Reply #2 on: October 08, 2005, 11:38:23 PM »
Hi LkonKbd,

You can use whatever you want - but it is best to pick one secure password for it - because if someone gets ahold of it, they could conceivably with some (maybe a lot, if you are smart and change your Defaults Settings) of trial and error, gain access to all of your accounts.

Best practice is, use a complex/secure Master Password, and change the Default Settings (and consequently the Settings used by your Accounts as you create them). Also, for critical Accounts - like inline Financial Accounts - it is best to use different Settings than you use for your other Accounts.

Please, ask away any other questions you have!

LkonKbd

  • Guest
Defaults used for MasterPassWord?
« Reply #3 on: October 09, 2005, 04:54:37 PM »
Quote
Ask them all! If they're interesting enough, we'll add them to the FAQ.


I don't really undersatnd this question! Can you rephrase it? As far as I know, you create the master password!

Best Regards,
Eric
"Eric"

Was wondering if the 'Defaults' in 'Advanced Options' were the settings for creating the MasterPassWord?  Where could we go to make adjustments in this password creation?  I have seen where MD4 and Md5 are not that secure.

How would we go about changing the MasterPassWord?  For security reasons that should be done atleast every 3 - 6 months.

Thank you for reading my questions,

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Defaults used for MasterPassWord?
« Reply #4 on: October 09, 2005, 05:53:46 PM »
Quote
Was wondering if the 'Defaults' in 'Advanced Options' were the settings for creating the MasterPassWord? Where could we go to make adjustments in this password creation? I have seen where MD4 and Md5 are not that secure.
The "defaults" are the settings for creating the generated passwords, not the master password. You can make adjustments to how generated passwords are created by double-clicking "Defaults" or clicking the "Settings" button with "Default" highlighted.

Quote
How would we go about changing the MasterPassWord? For security reasons that should be done atleast every 3 - 6 months.
You can do that simply by typing a new master password in the master password box. But it will change all of your generated passwords if you do that, so you'd then have to change them on each and every web site...

LkonKbd

  • Guest
Defaults used for MasterPassWord?
« Reply #5 on: October 09, 2005, 08:23:41 PM »
"Eric,"

Thank you for this info, did not know if the 'Defaults' had anything to do witht he creation of the 'MasterPassword'.

Quote From: Eric.
"You can do that simply by typing a new master password in the master password box. But it will change all of your generated passwords if you do that, so you'd then have to change them on each and every web site..."

I am presuming the check box for "Confirm master password by typing it twice instead of once" should be empty.

Ah, Ha, did not know the 'MasterPassword' would also effect the individual accounts password.  Will the selections for 'HashAlgorithm', 'Characters', 'Generated Password Lenght', etceteras be effected also?  Or will they remain the same?

At the rate I am screwing-up my PWM and having to recreate thingys I can avoid the 3 - 6 months change of passwords.

BAG!!  CU L8R,

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Defaults used for MasterPassWord?
« Reply #6 on: October 10, 2005, 12:48:20 AM »
Everything toss in a little to change the password (besides saving the master password). Actually, it's hard to find something that doesn't affect the generation of the passwords.
"I'm not drunk, just sleep deprived."

Offline Romeo

  • Hero Member
  • *****
  • Posts: 561
Defaults used for MasterPassWord?
« Reply #7 on: October 10, 2005, 12:59:00 AM »
Miquelfire, the When URL contains text box doesn't seem to affect the PW.  I just went thru and fixed mine with http:// and .com/ at the end, so that phishing attacks won't work and it didn't change my PWs.
It is impossible to create a fool-proof system, because fools are ingenious.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Defaults used for MasterPassWord?
« Reply #8 on: October 10, 2005, 01:21:19 AM »
Quote
Miquelfire, the When URL contains text box doesn't seem to affect the PW. I just went thru and fixed mine with http:// and .com/ at the end, so that phishing attacks won't work and it didn't change my PWs.
That only because it still uses the correct URL... however, now that you have added this to the 'When URL contains' field, if you went to a phishing site - ie, one that *contained* the top-level domain you had entered, but had a .xyz.net after the .com/ - it *would* generate a different password, whereas before you changed this, it would *not* have...

Offline Romeo

  • Hero Member
  • *****
  • Posts: 561
Defaults used for MasterPassWord?
« Reply #9 on: October 10, 2005, 02:22:22 AM »
tanstaafl when you have http://www.cahse.com/, for example, it'll work fine.  To the best of my knowledge, http://www.chase.com/phisher.net is not a valid URL.  It'll still take you to chase.com with a page not found, because everything past the third slash is considered to be a page within that domain.
It is impossible to create a fool-proof system, because fools are ingenious.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Defaults used for MasterPassWord?
« Reply #10 on: October 10, 2005, 11:08:05 AM »
Quote
tanstaafl when you have http://www.cahse.com/, for example, it'll work fine.
Well, that depends on what top-level domain you are talking about... ;)

Also, adding the 'http://www' is not necessary - all you need to do is add a '.' before and a trailing slash after the domain name you want to protect (ie, in this case, a ".chase.com/' is enough to protect the top-level domain 'chase.com' from a phisihng attack - the preceding '.' limits sub-domains to only valid sub-domains of 'chase.com', and the trailing slash, as you pointed out (and as I have pointed out three or four times in this thread) limits sub-directories/pages to only valid sub-directories/pages of 'chase.com'.

Your last comment is correct - but you seem to be suggesting that it somehow differs from what I am saying, but it does not. We are saying the same thing, but from a different perspective.
« Last Edit: October 10, 2005, 11:08:41 AM by tanstaafl »

Offline ajw

  • Jr. Member
  • **
  • Posts: 81
Defaults used for MasterPassWord?
« Reply #11 on: October 10, 2005, 06:38:25 PM »
Quote
Also, adding the 'http://www' is not necessary - all you need to do is add a '.' before and a trailing slash after the domain name you want to protect (ie, in this case, a ".chase.com/' is enough to protect the top-level domain 'chase.com' from a phisihng attack - the preceding '.' limits sub-domains to only valid sub-domains of 'chase.com', and the trailing slash, as you pointed out (and as I have pointed out three or four times in this thread) limits sub-directories/pages to only valid sub-directories/pages of 'chase.com'.

Actually, it *is* necessary - otherwise you could match something like this:

http://www.ajw.com/www.bankname.com/

(I changed it just so Chase wouldn't get angry if they stumbled onto my site with a www.chase.com subdirectory!  :)

If all you're checking is ".bankname.com/" then it'll match further down in the URL.  If you force it to start at the http:// then it can't match - or can it; I wonder if you can use the %xx escape chars to make a subdirectory named "http://www.bankname.com/" so the scammer could use a full URL of "http://phishingsite.com/http://www.bankname.com/" (using %xx escape chars of course)

I don't think that'd work on Windows; can't make a subdirectory with the slash or colon in it anyway.   But it might on a *nix machine - or if someone hacked the file system to allow such an odd name...


Now the question is, if PM was set up to only check ".bankname.com/" and the actual URL is "http://www.ajw.com/www.bankname.com/" does PM generate the right password for the real site or does it generate one that's different?

If it's different, then it's fine.

- Al -

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Defaults used for MasterPassWord?
« Reply #12 on: October 10, 2005, 06:54:09 PM »
Al,
Quote
I don't think that'd work on Windows; can't make a subdirectory with the slash or colon in it anyway
This can definitely be done on Windows with Apache web server by configuring an alias or a virtual host in httpd.conf.

Offline ajw

  • Jr. Member
  • **
  • Posts: 81
Defaults used for MasterPassWord?
« Reply #13 on: October 10, 2005, 08:30:18 PM »
Quote
Quote
I don't think that'd work on Windows; can't make a subdirectory with the slash or colon in it anyway

This can definitely be done on Windows with Apache web server by configuring an alias or a virtual host in httpd.conf.
Oh, my!!   I didn't know that!

In that case, you need to be able to specify that the URL *begins* with http://...

Otherwise, you could indeed match later in the string and you'd supply a valid password to the phishing site.   (at least in the case of a custom account - I guess that wouldn't happen if it was the default account; that'd use the bogus phishing domain)

- Al -

Offline Romeo

  • Hero Member
  • *****
  • Posts: 561
Defaults used for MasterPassWord?
« Reply #14 on: October 10, 2005, 08:37:12 PM »
For the time being, I am only using PM on sites, which I go to via my bookmarks - That ought to be pretty safe.
It is impossible to create a fool-proof system, because fools are ingenious.

PasswordMaker Forums

Defaults used for MasterPassWord?
« Reply #14 on: October 10, 2005, 08:37:12 PM »