anything

Author Topic: Safe use of "When URL contains"  (Read 9073 times)

Offline BHiko

  • Jr. Member
  • **
  • Posts: 11
Safe use of "When URL contains"
« on: February 09, 2006, 07:20:17 PM »
Could someone remind me how to avoid an unexpected match of when URL contains.
e.g. I wish the same password for urls that contains paypal.com: the same password for www.paypal.com and www2.paypal.com
But I do not wish this password for
* www.hacker.tu/paypal.com or
* paypal.com.safe.hacker.tu

What do I fill in in the when url contains field?

Offline tanstaafl

  • Moderator
  • *****
  • Posts: 1363
Safe use of "When URL contains"
« Reply #1 on: February 09, 2006, 10:05:43 PM »
I usually use something like:

contains = .paypal.com/           use = paypal.com

Offline Romeo

  • Hero Member
  • *****
  • Posts: 561
Safe use of "When URL contains"
« Reply #2 on: February 10, 2006, 12:46:00 AM »
I like to start mine off with http://...  So in BHiko cse, I would set up two account http://www2.paypal.com and http://www.paypal.com.  The first part of the URL is the most important part of the URL IMHO.
It is impossible to create a fool-proof system, because fools are ingenious.

Offline BHiko

  • Jr. Member
  • **
  • Posts: 11
Safe use of "When URL contains"
« Reply #3 on: February 10, 2006, 07:56:20 AM »
Quote
contains = .paypal.com/           use = paypal.com
Thanks tanstaafl
just for my understanding, why use = paypal.com? Isn't it assumed in this case?

Offline tanstaafl

  • Moderator
  • *****
  • Posts: 1363
Safe use of "When URL contains"
« Reply #4 on: February 10, 2006, 12:43:55 PM »
Actually, for financial accounts, I agree with Romeo - use the full URL in the 'When URL contains' field. The shorter way I used is to avoid having to worry about multiple instances, and/or the host changing something minor, Mine would usually keepo working, while Romeo's way would require you to account for the change every time.

But, as I said, it is much more secure as far as preventing phishing scams goes.

And no, the 'Use this URL' is never assumed - if you leave it blank, then it is using a BLANK URL to calculate the password. So, if you left it blank for all of your accounts, then none of them are using the URL to calculate the password.

Not really a major security risk, but it is important that you understand that it does work this way.

Offline tanstaafl

  • Moderator
  • *****
  • Posts: 1363
Safe use of "When URL contains"
« Reply #5 on: February 10, 2006, 12:46:35 PM »
And by the way - the number one Feature Request is for the ability to define multiple 'When URL Contains' entries for a single account, which would make dealing with this much easier, so you might want to go vote for it...

PasswordMaker Forums

Safe use of "When URL contains"
« Reply #5 on: February 10, 2006, 12:46:35 PM »

 

anything