Author Topic: Hiding the Accounts Information  (Read 5548 times)

Offline jrm

  • Normal Members
  • *
  • Posts: 2
Hiding the Accounts Information
« on: July 02, 2006, 05:31:35 PM »
Thanks for what seems to be a pretty clever extension.

I am trying to use PasswordMaker 1.5.1 with Firefox 1.5.0.4 for Windows.

I have set up PasswordMaker to use existing user names and passwords as outlined in  FAQ - the 7th topic.

My question is this:  is it possible to hide the Accounts details which are readily visible when you either press Control+' or right click and select "PasswordMaker > Open PasswordMaker"?  At present it seems that anyone can simply go to the Accounts tab and see what passwords are in use.  It seems that you don't have to log in to see this information.

Please put me right if I have missed something blindingly obvious.

Thanks

Jeremy

Offline thibros

  • Full Member
  • ***
  • Posts: 107
Hiding the Accounts Information
« Reply #1 on: July 02, 2006, 06:12:04 PM »
Thanks for the feedback.

Yes, there is a possibility to hide your custom password. Don't put it into the prefix field, as suggested by the faq, but use the Advanced Auto-Populate tab. There you can set up username and password, and the password will be hidden from view.

At the moment it is not easily possible to hide the accounts completely.

To make this a feature request, would you like to have just the accounts hidden, or all of PasswordMaker's dialogs, before the MPW is entered correctly? This would imply also, that the MPW's hash is stored for verification, but that's another feature request.

Offline jrm

  • Normal Members
  • *
  • Posts: 2
Hiding the Accounts Information
« Reply #2 on: July 02, 2006, 07:50:42 PM »
Thanks Thibros.  

OK.  So you double click on an Account and bring up the "PasswordMaker Account-Specific Settings" window.  

But here, whichever tab you select ("General", "Extended" or "Advanced Autopopulate"), the password is visible (in blue font) at the bottom of the "PasswordMaker Account-Specific Settings" window to the right of the "Generated Password" label.  

This seems like a gaping hole in security to me.  Even with "Store Master Password" set to "Not at all" so that any other user cannot simply right click and populate a password field without knowing the Master Password, it seems that any user can simply bypass all this security by going to the Accounts tab and double clicking on an account.  Voila - the password is visible.

I hope I have missed something but I can't see what it is.

To answer your question, I would like to have the option to hide user names and passwords that are currently visible in "PasswordMaker Advanced Options" window.  In order to see this data, you would be asked to enter the Master Password.  Hope this makes sense.

Jeremy

Offline thibros

  • Full Member
  • ***
  • Posts: 107
Hiding the Accounts Information
« Reply #3 on: July 02, 2006, 09:15:30 PM »
If the master password field is clear, then any generated password is what it would be if generated from the empty string. That's useless to anyone.

If your actual password is shown there, then you probably have stored it in the extended tab as prefix or suffix. Please clear it from there, you're completely right, that's not the best way to keep it.

Navigate to that web site, open the advanced autopopulate tab, and store your password there, if you want to keep using your old password. The password is not shown, all you see will be the string "<hidden>". I hope this helps.

I don't quite remember now if there has ever been a feature request for hiding the user name...

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Hiding the Accounts Information
« Reply #4 on: July 03, 2006, 05:34:36 PM »
You can hide passwords by going to Global Settings and checking "Hide Password with asterisks" In order for someone to uncheck that checkbox, he'll need your master password.

Offline thibros

  • Full Member
  • ***
  • Posts: 107
Hiding the Accounts Information
« Reply #5 on: July 03, 2006, 08:06:34 PM »
Yeah, that's there too, I never used that function, so I forgot. That works for generated passwords.

That doesn't stop someone from copying the generated password to the clipboard and looking at it there, or enabling "Show passwords on web pages as clear text", though.

PasswordMaker Forums

Hiding the Accounts Information
« Reply #5 on: July 03, 2006, 08:06:34 PM »