Author Topic: 'Defaults' vs. Custom Accounts - When & How  (Read 17806 times)

Offline tanstaafl

  • Moderator
  • *****
  • Posts: 1363
'Defaults' vs. Custom Accounts - When & How
« on: October 06, 2005, 01:04:06 AM »
The ability to define Custom Accounts is one of many things that sets PASSWORDMAKER apart from any of the other Password utilities out there, but it can also be a source of confusion for people new to PWM. The purpose of this post is to try to help clear up some of that confusion.

The bottom line is, there are really only two good reasons to create a Custom Account:

 1) sites that require Settings that are different from the ones you specified in your 'Defaults' Settings, and/or

 2) sites that are of a sensitive nature, like, for example, banking/financial sites, Domain Registrar accounts, and Remote Control Accounts like LogMeIn or GoToMyPC, etc. There are others of course, but only you can answer the question of whether or not an account is sensitive for you.

You are encouraged to use the 'Defaults' Account/settings for all other sites that are of a non-sensitive nature.

Don't misunderstand me, though. This does not mean that you shouldn't create Custom Accounts for every single one of the sites you access - by all means, if you want to, then do so. I just wanted to make sure that you understood that it wasn't absolutely necessary to do so just to use PWM.

============= TIP
See this topic for a detailed description of a simple concept for how to make your usage of PWM much more secure.
============= TIP

Allow me to elaborate on some ways that Settings requirements might create a situation where you would need to create a Custom Account, and some Tips that will help to minimize such situations.

In the 'Defaults' Settings, you can specify a Username, which is not only used to log into the site - and which can also be automatically populated into the Username field on the login page - but it is also one of the items used to generate your passwords.

However, if one of your sites requires a different Username from the one you specified in the 'Defaults' Settings, then you would have to either manually change the Username on the login page every time after PWM populates it (because PASSWORDMAKER would have populated it with the one from the Defaults), or, create a Custom Account for this site with the correct username. So, with this in mind:

============= TIP
For non-sensitive sites for which you want to just use the 'Defaults' settings, pick something for a username that is almost certain to not be used by anyone else - something not a word, or a word that contains special characters in place of certain letters (example: 'mikemybirthyear' instead of just 'Mike') - this will make using the 'Defaults' settings/Account much easier and more convenient.
============= TIP

Another example is that some sites impose special limitations/requirements with respect to the number of and/or types of characters that are allowed to be used for Passwords which differ from what you specified in your 'Defaults' Settings. For these sites, you would have to define a Custom Account that reflects the different Settings needed to allow PASSWORDMAKER to work properly with that site. So, with that in mind:

============= TIP
Use only lowercase letters and numbers for your 'Defaults' settings, with a lower number of characters - say, 10. Since you are only using the 'Defaults' settings/Account for non-sensitive sites, this will still give you reasonably secure passwords for your non-sensitive sites, while allowing you to not have to create Custom Accounts for most of them.
============= TIP

Hopefully this is enough of an explanation of the 'Defaults' Account/settings vs. Custom Account/settings to allow you to make an informed decision on when - or even if - to use the 'Defaults' Account/settings, or to create a Custom Account, for any given site.
« Last Edit: June 01, 2007, 05:40:04 PM by tanstaafl »

Offline avander_be

  • Normal Members
  • *
  • Posts: 5
'Defaults' vs. Custom Accounts - When & How
« Reply #1 on: January 06, 2006, 11:31:21 AM »
Hi,

I'm new to pwm and this account stuff really puzzles me...

I admit that I probably started the wrong way, I created an account to prevent screwing up the default one  :rolleyes: ...

Like many others I have several usernames to login to different sites, sometimes it's a username, sometimes a [email protected], a username_country because username already existed etc...

What's the best way in pwm to deal with this common situation?

I may be wrong but I doubt that creating an account per unique username is going to save my bacon...

Regards and TIA.

Offline tanstaafl

  • Moderator
  • *****
  • Posts: 1363
'Defaults' vs. Custom Accounts - When & How
« Reply #2 on: January 06, 2006, 01:17:16 PM »
Hi avander_be,

You don't *have* to create an account for each username, but you are actually on the right track.

One thing that is unclear to me - are you saying you have more than one username for each URL/site you are visiting? Or simply that you sometimes have to use a different username when registering for a particular site if, say, your desired username is already taken?

Creating a unique Account for each site/login (yes, you can have multiple usernames for a single URL/site - just create the accounts and put the different username for each one) allows you to make full use of the auto-populate functionality. PWM will automatically populates both the username (if specified) and password for you. Soon, you will also be able to specify arbitrary fields to be populated (and what to populate themn with), and eventually you will even have the option to auto-submit for certain sites as well, so you won't even have to click the login button.

You can do the same thing using the Defaults account, but obviously, you can only specify one username.

If you have multiple accounts for the same site/URL, PWM will prompt you for which account you want to use (since more than one matches the URL you are visiting) when it is invoked.

What I do is use the Defaults for my most used username, and create a unique Account for the others.

I also create unique Accounts for important logins - like, financial sites (bank accounts, etc), and change the Settings to something different. This is to make it more secure - because if someone wants to try to figure out my account password, they will need to know what my settings are for that account as well as the Master Password.

I also use different Master Passwords for different types of Accounts - for example, I use one Master Password for Forums (like this one), a different Master Password for Accounts that I manage for other Clients/Customers (a different Password for each Customer/Client), and a different Master Password for my important online Accounts (again, banks, etc).

Hope this was helpful, and feel free to keep asking if you need clarification.

PWM rocks!

Offline avander_be

  • Normal Members
  • *
  • Posts: 5
'Defaults' vs. Custom Accounts - When & How
« Reply #3 on: January 07, 2006, 08:49:37 AM »
Thank you for your answer tanstaafl!

If I have multiple accounts and right click on a password field to login, can pwm select to right account ( great) and if so how or do I have to select the account myself ( bummer)?

Regards.

Offline tanstaafl

  • Moderator
  • *****
  • Posts: 1363
'Defaults' vs. Custom Accounts - When & How
« Reply #4 on: January 07, 2006, 04:01:38 PM »
You're welcome :)

As for your the answer to your follow-up question...

This would depend on the answer to the question I posed in my previous response which you did not answer... so, I'll give you the two possible answers for this one...

1. If you have more than one Account defined for the URL you are visiting, then when you press Alt-~, PWM will prompt you for which Account to use, and then prompt you for your Master Password (MPW).

2. If you only have one Account defined for that particular URL, then PWM will simply prompt you for your MPW, after which it will populate your username and password fields.

The only other variations would be:

1. if you have elected to save your MPW to disk, in which case, it would *not* prompt you for your MPW, or

2. if you have elected to save your MPW in memory, *and* this is your first login for this browsing session, then you will be prompted for your MPW. All subsequent logins will *not* prompt you for your MPW, until you completely quit FireFox. Then, if you start a new Session later, you will again be prompted for your MPW the *first* time you log in to a site.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
'Defaults' vs. Custom Accounts - When & How
« Reply #5 on: January 07, 2006, 05:24:15 PM »
Avander_be mentioned he uses right-click to invoke PasswordMaker. I just wanted to point out that tanstaafl's comments in the last post apply to both right-click and Alt-~.

Offline avander_be

  • Normal Members
  • *
  • Posts: 5
'Defaults' vs. Custom Accounts - When & How
« Reply #6 on: January 08, 2006, 09:01:41 AM »
tanstaafl & Eric >

I have multiple usernames as explaned earlier but always one a 1 to 1 base ( looking from the url point of view that is), so one username for one site. Let's say:
Code: [Select]
username          site(s)
avander             www.car.be www.hardware.fr  ...
avander_be        www.frenchforum.fr  www.dutchforum.be ...
avander@yahoo  mail.yahoo.com    

I've been foulin' around with two accounts this morning but I still can't figure out how pwm determines which account it has to use when I ask to generate my password using right click and then populate with pwm ( I use the 'clear password' option to see what's going on for now).

To login somewhere I fill in my username and on the password field I ask pwm to fill it in for me but it always serves me the password of the default account.

The only way to get it right is to complete the 'when URL contains' field in the custom account, but this seems to imply that if this username is used for two different sites I'll have to create a third account ( or does the 'when URL contains' supports lists of urls?).

If there's another way to configure pwm i'll b glad to hear it from you guys.

Regards.
« Last Edit: January 08, 2006, 09:39:39 AM by avander_be »

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
'Defaults' vs. Custom Accounts - When & How
« Reply #7 on: January 08, 2006, 03:43:24 PM »
Hi.

Quote
The only way to get it right is to complete the 'when URL contains' field in the custom account, but this seems to imply that if this username is used for two different sites I'll have to create a third account ( or does the 'when URL contains' supports lists of urls?).
That is correct. There is a feature request for 'when URL contains' to support a list of URLs, but it hasn't been implemented yet. If you're interested in that feature, I encourage you to vote for it!

Offline tanstaafl

  • Moderator
  • *****
  • Posts: 1363
'Defaults' vs. Custom Accounts - When & How
« Reply #8 on: January 08, 2006, 04:08:49 PM »
Hi avander_be,

Ok, yes, I think you simply need to resign yourself to the fact that you need to create a custom account for any URL's that you have more than one username for, because it is the URL that PWM uses to tell one 'password' from another if you are only using the Defaults account, and one 'Account' from another - so, if you have more than one account defined for the same URL, *that* is when PWM will prompt you for which Account to use.

Fyi - I have over 100 Custom Accounts defined. Custom Accounts are just *one* of the most powerful things about PWM, so don't be afraid of them - *use* them! ;)

Now, I just thought of something else that might be happening... if you have more than one username for the same URL, but don't set up separate Accounts for them (which means you are using the 'Defaults' account settings), then both logins are using the *same* password. You can verify this by enabling 'Show all passwords on web pages as clear text' option in the Global Settings.

It also sounds like you might want to vote for a Feature Request of *mine*, whereby, you can elect to have a Modifiable Username Prompt, which means you could have multiple usernames for a single URL, but only have to define one Account for that URL, and if the username you want to log in with is different from the one you have defined in the Account, you just change the username on the fly. Very helpful if you have lots of sites with lots of usernames for each, as I do - I manage multiple domains for multiple Clients, so may have 30+ usernames for a single URL. I have a workaround that I employ for this so I don't have to have a separate Account for each (otherwise I'd have *many* hundreds of Accounts), but it is awkward, and worse, I cannot make use of the auto-populate functionality of PWM - but it does allow me to have different passwords for each user, but only have to define one Account per domain. If you are interested in the details, just ask...

There is also another request for having multiple URL's here, which is almost the opposite (but not quite). It is for accounts that might use different URLs, depending on which server you happen to hit - usually large sites that have multiple servers for redundancy and/or load balancing, but for whatever reason don't have the webserver farm configured to provide a uniform URL.

If you haven't already, you may want to peruse the Feature Request List to see what other tasty treats may have been asked for that you might be interested in.
« Last Edit: January 08, 2006, 04:14:16 PM by tanstaafl »

Offline avander_be

  • Normal Members
  • *
  • Posts: 5
'Defaults' vs. Custom Accounts - When & How
« Reply #9 on: January 08, 2006, 04:39:28 PM »
Quote
Hi.

That is correct. There is a feature request for 'when URL contains' to support a list of URLs, but it hasn't been implemented yet. If you're interested in that feature, I encourage you to vote for it!

I'm on my way!    ;)

Offline rbrt_ryn

  • Normal Members
  • *
  • Posts: 2
'Defaults' vs. Custom Accounts - When & How
« Reply #10 on: January 27, 2006, 06:59:00 PM »
Quote
The bottom line is, there is only one good reason to create a Custom Account for one of your Passwords, and that is if you have a Password Account that requires Settings that are different from the ones you specified in your 'Defaults' Settings.

The optimal way to use PASSWORDMAKER is to set the 'Defaults' Settings to what are necessary to work properly for the majority of your Passwords. Then, create a Custom Account for any Passwords that have special requirements.

I have to respectfully disagree with tanstaafl's comments here.

One advantage to having custom accounts is if one of your passwords somehow gets compromised. If it belongs to a custom account you you can just change the settings/password for that one account and you're good to go.

If, however, you base most of your accounts on a single default setting you will have to change the password on every one of those accounts.

I set up a custom account for each URL I have to log in to.

Offline tanstaafl

  • Moderator
  • *****
  • Posts: 1363
'Defaults' vs. Custom Accounts - When & How
« Reply #11 on: January 27, 2006, 07:25:04 PM »
Quote
Quote
The bottom line is, there is only one good reason to create a Custom Account for one of your Passwords, and that is if you have a Password Account that requires Settings that are different from the ones you specified in your 'Defaults' Settings.

The optimal way to use PASSWORDMAKER is to set the 'Defaults' Settings to what are necessary to work properly for the majority of your Passwords. Then, create a Custom Account for any Passwords that have special requirements.
I have to respectfully disagree with tanstaafl's comments here.

One advantage to having custom accounts is if one of your passwords somehow gets compromised. If it belongs to a custom account you you can just change the settings/password for that one account and you're good to go.

If, however, you base most of your accounts on a single default setting you will have to change the password on every one of those accounts.

Well, while I understand what you are saying, and agree with you to an extent, you missed an obvious alternative...

If you are using the Defaults for all of your Accounts, and one of them gets compromised, you can, at *that* time, simply create a Custome Account for that one URL, and change the settings and the password.

Now, if you use the Defaults for all of your accounts, and your Master Password & Settings are compromised (as opposed to just one of the generated passwords), then you're in trouble...

But most people will *not* change the Default Settings when creating Custom Accounts, or if they do, they make the SAME changes. Otherwise, you would never be able to remember what settings were used for which account (if you ever needed to re-create them for some reason (corrupt RDF, etc).

So, while creating a separate Account for each and using custom settings for each would definitely be more secure, it adds a very real layer of complexity.

That said - since PWM does all the work, there is no real reason not to do it this way, and indeed, it will make it that much harder for someone to compromise your accounts, so, by all means, do it!
« Last Edit: January 27, 2006, 07:30:50 PM by tanstaafl »

PasswordMaker Forums

'Defaults' vs. Custom Accounts - When & How
« Reply #11 on: January 27, 2006, 07:25:04 PM »