From PasswordMaker
Jump to navigationJump to search


What browsers/platforms are supported?

  • The extension works with some of the most popular Gecko based web browsers, including: Firefox, SeaMonkey, Mozilla Suite, Flock and Netscape.
  • There was a beta version of PasswordMaker for Internet Explorer 6 and 7, but it was never finished, and is no longer maintained. It is highly unlikely that there will be any further development on it, unless a sponsor steps forward. If you are interested in sponsoring the Internet Explorer version, please feel free to post a message on the user forums and someone will get in touch with you to see if an arrangement can be made.
  • There is an online version that works with all browsers (including Internet Explorer and Opera) on all platforms.
  • The desktop version is written in QT/C++ and works on Windows, Mac, and Linux/Unix (Actually, any place that QT can be compiled on). The J2ME version will work on any Java-enabled mobile phone or PDA.

If someone gets my master password, can't he determine all of my generated passwords?

No. There are ten other variables he would need for each account. They are:

  • URL
  • character set
  • which of nine hash algorithms was used
  • modifier (if any)
  • username (if any)
  • password length
  • password prefix (if any)
  • password suffix (if any)
  • which of nine l33t-speak levels was used
  • when l33t-speak was applied (if at all)

Probably the most interesting of these is character set because it gives you the flexibility to determine precisely which characters can and can't be included in generated passwords.

Can someone "unscramble" my generated passwords to determine my master password?

This is a common complaint heard about hashed-based password systems (for example, see page two of A Convenient Method for Securely Managing Passwords). The complaint simply doesn't hold water with PasswordMaker because PasswordMaker adds nine other variables not used in the traditional password=master+url formula. Those nine variables create an enormous search space which would take thousands of years to search, even using a distributed network of one million modern PCs. The nine variables are:

  • character set
  • which of nine hash algorithms was used
  • modifier (if any)
  • username (if any)
  • password length
  • password prefix (if any)
  • password suffix (if any)
  • which of nine l33t-speak levels was used
  • when l33t-speak was applied (if at all)

Of course, the URLs of the sites must also be known since they are used in password calculation. Probably the most interesting of these variables is character set because it gives you the flexibility to determine precisely which characters can and can't be included in generated passwords.

How do the account-settings and algorithm I choose work together to generate passwords?

If you've selected a non-HMAC hash function (those without the HMAC prefix), passwords are generated using the following pseudocode:

password = mp + usingURL + username + modifier
password = leet(password, leetlevel) [optional]
password = hash(password, charset)
password = leet(password, leetlevel) [optional]
password = truncate(prefix + password, length-suffix_length) + suffix
password = truncate(password, length)

If you've selected an HMAC hash function (those with the HMAC prefix), passwords are generated using the following pseudocode:

data = usingURL + username + modifier
mp = leet(mp, leetlevel) [optional]
data = leet(data, leetlevel) [optional]
password = hmac_hash(mp, data, charset)
password = leet(password, leetlevel) [optional]
password = truncate(prefix + password, length-suffix_length) + suffix
truncate(password, length)

Where + is the concatenation operator. mp is the master password, usingURL is the value in "Using URL", and username, counter, prefix, and suffix are optional settings specified in the Account Settings dialog. For HMAC hash functions, mp is the secret key and data is the input text.

Where is my master password stored?

Nowhere, unless you choose the option Store Master Password on disk and in memory (encrypted). If you choose this option, your master password is stored using 256-bit strong encryption in %ProfileDirectory%/passwordmaker.rdf. If you don't know where your profile directory is, look here. For further protection you can instruct your operating system to encrypt passwordmaker.rdf. Instructions on how to do this with Windows XP/2000/NT are here. Instructions for Mac OS/X Tiger are here.

Where are the generated passwords stored?

Nowhere. The generated passwords are calculated on-the-fly as they are needed. The RAM used to store and calculate the generated passwords is proactively cleared to prevent passwords from being stored in a swap file/virtual memory/paging file.

How do I know PasswordMaker isn't sending my passwords to you without my knowledge?

Although you can read the source code to determine this for yourself, there's an easier way. Install a packet sniffer and use PasswordMaker to generate some passwords. You won't see any traffic to or from PasswordMaker -- ever. It never connects to the internet. Two popular packet sniffers are snort (for Unix/Linux/OSX) and ipInterceptor (for Windows). Both tools reveal *all* network traffic, not just HTTP.

Another way would be if you have a two-way firewall installed. PasswordMaker will never trigger an outbound connection notification from your firewall (although it may trigger an inter-application process notification, depending on the firewall in use).

If I don't want to change all of my passwords, is PasswordMaker still a good choice?

Yes. PasswordMaker provides a secure method for encrypted storage of a specific, user-provided password for a custom Account. This way you can take advantage of PasswordMaker's other features (such as form completion) while still choosing your own passwords.

To set up a URL/site in this manner, simply go to the login page for the Account that you want to save the password for, create a new (or open the existing) Account for this URL/site, change to Advanced Options (if you are not already there), click the Advanced Auto-Populate tab, click inside the password field on the login page, click inside the Field Value field, enter your current password, then click the Add> button (just above the list-box for fields), and last but not least, if desired, check Auto-populate username and password fields for sites that contain this URL.

Which hash algorithms are supported?

  • MD4
  • HMAC-MD4
  • MD5
  • MD5 (for PasswordMaker v 0.6)
  • HMAC-MD5
  • HMAC-MD5 (for PasswordMaker v 0.6)
  • SHA-1
  • HMAC-SHA-1
  • SHA-256
  • HMAC-SHA-256
  • HMAC-SHA-256 (for PasswordMaker v 1.5.1)
  • RIPEMD-160

Which hash algorithm should I use?

All of the algorithms are cryptographically strong, but of the algorithms PasswordMaker offers, many people regard SHA-256, HMAC-SHA1, HMAC-MD5 and HMAC-SHA-256 as the strongest.

What about recent press concerning MD5 AND SHA-1 "cracks"?

At Crypto 2004, Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu announced they had found hash collisions for MD4, MD5, RIPEMD, and HAVAL-128. SHA-1 hash collisions have also been announced. A hash collision means the researchers found two or more messages that yield the same hash with these algorithms. However, it's important to note that the one-way nature of these algorithms has not been undermined. In other words, in the context of PasswordMaker, hash collisions do not empower someone with the ability to derive your master password if they have your generated (hashed) passwords. The hash collision attacks have no relevance to PasswordMaker except there is very small chance someone could choose a different master password than yours which hashes to the same generated password. However, he would still need your username and the URL in order to hack your account.

Do you provide technical support?

Yes! Free technical support is provided on the user forums, with a response time often measured in minutes, but typically never more than 24 hours.

Where can I find an explanation of each and every feature and function?

Right here!

Do you accept Feature Requests?

Yes, absolutely! Feature requests from people who actually use PasswordMaker is one of the reasons PasswordMaker has a lot of the functionality it now has!

Our user forums are the best place to get support, and the Feature Request List is the place to make your desires known.

Please read through all of the existing Feature Requests before posting, because it is very possible that someone else has already done it for you. If so, then by all means post a request to add your vote to it, and any other Feature Requests that sound attractive to you.

Each registered user gets 5 votes, so please feel free to stop by and add your votes now!

How is PasswordMaker licensed?

PasswordMaker is licensed under the LGPL Open Source License. The desktop edition (because of QT) is licensed under the GPL Open Source License.

The full sources for PasswordMaker can be downloaded from here.

What if my computer crashed, and I have to start over from scratch?

Well, as long as you plan ahead and take a few simple precautions, this will not be a problem.

A more involved discussion of this issue is discussed in this Super Security Tip, but for this one single question, it boils down to just understanding how PasswordMaker works, and working out a simple system for how to use it that you can easily remember. In short:

1. Figure out how you want to Group your accounts. It is recommended to keep your high-security accounts (e.g., financial) in a separate Group or Groups,

2. Create a 'template' Account in each Group, that has the Settings configured the way you want for those Accounts, and 'Copy Account' to create a new Account in that Group with the correct settings already configured, and

3. Modify the Defaults settings, and the settings your Group Template Accounts mentioned in #2 above, in such a way that would be difficult to guess how you had modified them, but easily reproducible by you if it became necessary.

A little thoughtful planning will go a long way.

What if I forget my Master Password?

You're out of luck... so don't forget it.

Seriously, since this password is not stored anywhere (unless you have told it to do so), there is nothing to recover. There is, however, one exception to this rule. If you have stored your Master Password on Disk, it is possible to discover it by doing the following:

  • open a web page to the following link:
  • find/open your RDF file,
  • find the 'globalSettings' section,
  • one at a time, copy/paste the values from the two following lines:


into the appropriate boxes on the page you opened, then click the 'Decrypt' button.

The Master Password that is stored on disk will be revealed in the 'Decrypted Master Password' box.

Firefox / Gecko edition

Where is account information and other settings stored?

For the Firefox extension, everything is stored in %ProfileDirectory%/passwordmaker.rdf. If you don't know where your profile directory is, look here.

For the Google Chrome extensions, everything is stored in "%LocalAppData%\Google\Chrome\User Data\Default\Extension Cookies". If you use Encrypting File System (EFS) to protect the master password, only the "Extension Cookies" file needs to be encrypted, not its containing folder.

How does PasswordMaker defeat keyloggers?

Keyloggers work by tracing every key typed on the keyboard. With PasswordMaker, you never type anything but your master password (and if you choose Store Master Password on disk and in memory (encrypted), you only type that once). The real passwords (generated ones) are never typed, so keyloggers never detect them!

How does PasswordMaker defeat phishing attacks?

Most phishing attacks occur when you navigate to a URL which appears to be that of a site that you trust, but actually is owned by an attacker. For example, you might navigate to http://www.bc1.lu/ instead of the Bank of Luxembourg's legitimate URL, http://www.bcl.lu/. The only difference between these two URLs is the lower-case letter L (used by the legitimate site) and the number 1 (used by the deceptive site). The attacker's intent is to get you to enter your username/password credentials on his deceptive site. He can then use those credentials on the legitimite site to do nefarious things.

If you use PasswordMaker, you'll be safe and secure. This is because the password it generates is based on the URL to which you've navigated. The password generated at a deceptive site is completely different than the one generated at a legitimite site (because their URLs differ, even if by one character). You might still be fooled into thinking http://www.bc1.lu/ is the Bank of Luxembourg, but the attacker will get the wrong password if you use PasswordMaker.

I want to use the same password for more than one site. Is this possible?

Yes! Let's suppose you want a Yahoo! account to use the same password as a gMail account. Go to the Advanced Options dialog and create a new account. Click on the URLs tab, and add a second pattern that will match the gMail login URL - in fact, you can add as many patterns as you want to match for this account, and they will all use the same password! The only caveat to this is, if they have different usernames, PasswordMaker won't be able to automatically populate the usernames for you, because you can only define one username per account - but if they all share the same username, PasswordMaker will populate everything automatically for you for all of them. That's it!

Can PasswordMaker accommodate sites that force me to change passwords periodically?

Yes! Go to the Advanced Options dialog and create a new account. In the When URL Contains field, type mybank.com. In the Use the following text... field, type 'mybank.com'. In the Modifier field, type any text (such as a date or number) that you wish to change over time. For instance, you could type September 2007. When October comes and the bank expires your password, simply change the Counter to October 2007. You might instead choose to use an incrementing number. For example, 1 for this month, 2 for the next month, etc. Any text that you enter in the Counter field will vary the password.

Why doesn't PasswordMaker fill in the username on a site?

Each site can use a different label for identifying the username field, and not all can be found. Currently the best way to handle this is to use the Advanced Auto-Populate tab.

Can I share my settings between multiple computers?

PasswordMaker has "Export Settings" and "Import Settings" options, as well as the ability to upload/download your RDF file to/from an FTP site.

Exporting the settings saves them to a file (with the option to include/exclude the master password in encrypted form), while importing settings takes a file and imports its contents as if you'd manually entered them. You can synchronize two or more PCs this way.

There are plans to optionally save this file on an FTP site so you don't need to transport it across PCs, but you can always opt-out of this. In the meantime, you can store exported settings centrally somewhere yourself (like your web-based email account) to make it easy to import them from anywhere.

How can I change PasswordMaker's shortcuts (ctrl-` and alt-`) to something else?

Install the KeyConfig Extension. Scroll down to the PasswordMaker entry and change the shortcuts to anything you like. Changes won't take effect until you restart Firefox/Mozilla.

How can I turn off the toolbar icons for Mozilla and Netscape?

You can turn it off (and back on again) by creating the new boolean preferences browser.toolbars.showbutton.passwordmaker and browser.toolbars.showbutton.passwordmaker-key in about:config or user.js with the value of true or false. Make sure to restart all browsers after making the change.

How do I uninstall PasswordMaker?

If you're using Firefox, it's quite simple. Select Tools -> Extensions, select PasswordMaker and click the Uninstall button.

If you're using Mozilla or Netscape, it's as simple as deleting two files and one directory:

  • If you installed PasswordMaker to a profile, locate that profile's directory (read this if you don't know how to find it). If you installed PasswordMaker to the browser directory, locate your Mozilla or Netscape installation directory (read this if you don't know how to find it).If you don't know where you installed PasswordMaker, try to remember how you answered this prompt when installation began:


The rest of these directions refer to the path you've identified as path.

  • Delete the file /path/chrome.rdf. This file is automatically regenerated the next time you start Mozilla or Netscape.
  • Delete the file /path/chrome/passwdmaker.jar
  • Delete the directory /path/chrome/overlayinfo. This directory is automatically recreated the next time you start Mozilla or Netscape. If you restart and this directory hasn't been recreated, don't worry: it just means you don't have any other extensions, themes, or skins installed.

Desktop edition

Javascript edition

Yahoo! Widget edition

Command-line edition

PHP / Mobile edition

On-line edition