This edition of PasswordMaker is a small, lightweight, free (licensed under the LGPL Open Source license), extension for many of the most popular Gecko based web browsers, including: Firefox, SeaMonkey, Mozilla Suite, Flock and Netscape.
It creates unique, secure passwords that are very easy for you to retrieve, but no one else. Nothing is stored anywhere, anytime, so there's nothing to be hacked, lost, or stolen.
Much of the following information is applicable only to the 1.7.x versions of PasswordMaker. If you are using an older version, please upgrade, and then come back here to learn how to take advantage of all of the unique and powerful features PWM has to offer.
First Things First
In order to prevent some of the most common errors - and to save you a lot of confusion and frustration - you are strongly encouraged to read this entire page, along with the FAQ, at least once prior to attempting to use PasswordMaker.
Precautions and Caveats
PasswordMaker has two different 'modes' that it can operate in - Basic, and Advanced.
Using PasswordMaker in Basic mode (using only the Basic Options) is very secure, and is the recommended way to start out, but there are certain things you should understand in order to avoid problems - the most common of which is locking yourself out of one of your online accounts.
With this in mind, it is best to:
- be sure that you have defined an alternate email address for any important accounts, so you will be able to 'reset' or 'recover' your password in the event that you lock yourself out (this is a good thing to do anyway, whether you use PasswordMaker or not)
- practice a few times on a throw away account, like gmail or yahoo - but the first recommendation still applies
- start out using PasswordMaker in Basic mode - but first learn the difference between Basic and Advanced modes so that you will know if/when you need to switch to the Advanced mode
Basic and Advanced Modes - Differences
The main difference between the two modes is primarily one of complexity, in the form of the large number of configuration options. We will get into each in great detail below, but for now:
- PasswordMaker uses the concept of Accounts to identify a group of settings that work together to generate a password
- In Basic mode, there is only one account that matters (referred to as the Defaults account) - so, only one group of settings (referred to as the Defaults settings), that are applied to every site that you log into
- The main advantage of using only the Basic options is simplicity
- In Advanced mode
- you can create as many unique accounts as desired, each of which has its own settings that are applied only when that account is used
- you must define the URL(s) that identify each account
- you can define multiple URLs for any given account, which means:
- PasswordMaker will use the same settings for all of these sites
- PasswordMaker will generate the same password for all of these sites
- you can optionally save the master password hash, which is a very convenient and safe way to verify that you have entered the same master password when logging into as site as when you created the password - essentially preventing any failed logins
- The main advantage of using the 'Advanced' options is the ability to customize the way PasswordMaker behaves for different sites/accounts
Password Generation - Parameters and Triggers
Regardless of which mode you are using, PasswordMaker makes it very easy to generate unique passwords for different sites on demand - and can optionally automatically detect when you are on a login page and automatically prompt you for the master password.
- The parameters used to generate any given password are:
- the contents of the Using Text field, which by default is the URL components you have enabled (the default is to only use the TLD (top-level domain) - e.g., passwordmaker.org
- the username, if defined
- the extended attributes as provided, or modified by you
- the master password used
- There are two ways PasswordMaker can be triggered into action:
- manually, using the ctrl-` key combination, or
- automatically, if the Auto-populate option is enabled
- if Auto-populate is enabled for the Defaults account, it can be selectively disabled for individual custom accounts, or
- if Auto-populate is disabled for the Defaults account, it can be selectively enabled for individual custom accounts
- if there is no password field detected on the current web page, PasswordMaker will do nothing
When PasswordMaker is triggered, it compares the currently detected URL pattern - which consists of only the components enabled in the Defaults settings - against the defined URL patterns for all of your custom accounts, and
- if a match is not found in any custom accounts that you have defined, then the Defaults settings will be used
- if only one account contains a pattern match, the Master Password Prompt window is opened
- if more than one account contains a pattern match, the Account Selection window opens first, allowing you to select which Account you want to use, and then the Master Password Prompt window is opened
Installation and Initial Configuration
When the installation is complete, a restart of your browser is required to make PasswordMaker available for use. Once you have successfully installed PasswordMaker, there are three ways to open it:
- the PasswordMaker option from the Tools sub-menu:
- the Toolbar icon (golden ring):
- the <ctrl> ` shortcut key (almost always above the 'Tab' key) which looks like this on en-US keyboards:
For Mozilla and Netscape users, the toolbar icon is installed by default. For Firefox users, the toolbar icon must be manually added by using the "View -> Toolbars -> Customize" menu, and then dragging the golden ring icon on to the toolbar.
TODO: need Flock installation instructions...
Once you've installed the extension and configured the Toolbar to your liking, you can Open PasswordMaker by either clicking on the main toolbar button (the golden ring are presented with the Basic Options screen:
Basic Mode / Options
Here we describe the textboxes and buttons on the Basic Options dialog.
1. Master Password
Your ONE "password to rule them all". This password, when combined with a URL (or whatever text string you choose), hash algorithm, optional l33t-speak, username, and counter, is used to generate unique, site-specific passwords, as explained in the introduction.
Note: the reference to 'One' master password is more symbolic than anything, as there is nothing to prevent you from using 2, 5, or as many different master passwords as you like - although that kind of defeats the purpose of PasswordMaker, which is to make things simpler, right?
2. Store Master Password
- Not at all - the master password is not stored anywhere at any time (memory or disk). This is the most secure option, but also the least convenient because you are prompted to enter the master password everytime a password is generated.
- In memory - the master password is stored encrypted in the browser's memory but not on disk. This option provides a reasonable trade-off between security and convenience. You won't be prompted to enter the master password again until all browser instances have closed (disposing memory contents), and the browser is re-opened. The master password is encrypted in memory so that if it's written to disk by the operating system as part of a swap file/paging file, it can't easily be decrypted.
- Store master password on disk and in memory - the master password is stored encrypted on the local hard drive and in memory. This option is the least secure, but the most convenient. You won't ever be prompted to enter the master password when using this option. Note: although the encryption used to store the master password is strong, the encryption/decryption key is also stored on your local hard drive. This makes decryption of the master password relatively simple. You should not use this option unless either (a) you are the only person with access to the hard drive, or (b) you are comfortable with the master password possibly being decrypted by others.
3. Using Text
By default, this shows only the URL compnents of the current URL being used to generate the password, but you can change this to anything you want.
4. Generated Password
Here you see the generated password. It'll be shown as plain text, or encrypted depending on your setting.
5. Copy Generated Password to Clipboard
This button copies the generated password to the clipboard where it remains for the amount of time specified amount in the [advanced-options.xhtml Advanced Options] dialog (10 seconds by default).
6. Advanced Options
Clicking here will switch to the Advanced mode/options.
The Close button closes the current dialog.
Using PasswordMaker In 'Basic' Mode
There are three ways that you will use PasswordMaker from this point forward (assuming you stick with it - and please do - it is well worth the effort - once you 'get it', you'll never know how you lived without it):
- to generate a password for a new account when you are first signing up
- to change the password for an existing account
- to log into an account that you have already changed to a PasswordMaker password
Without PasswordMaker, when you go to any site that requires a username and password, you would manually type in your username, then your password, then click the 'Login' button (or sometimes you can just hit the Enter key).
You will still have to do this for each site that you use, in order to convert the site to work properly with PasswordMaker - but only one more time. From that time forward, you will be able to use PasswordMaker to populate those fields for you, quickly and securely, only having to remember your master password.
As was suggested earlier, please choose some non-essential sites to do first, and make sure that you have properly set up an alternate email address, so that you can unlock the account if you inadvertently lock yourself out of it.
So, to get started, either:
- click here and print out the page the opens, so that you have these full instructions for changing your password handy, or
- open the site you will be using in a new browser tab, and flip between the two sites that way
- follow the instructions for changing your password to one that PasswordMaker generates
Generate Password for a New Account
Password Change Procedure
When you go to a site which requires a password, PasswordMaker, depending on the settings, will either auto populate the password field, let you right click on the password field and give you the selection PasswordMaker in the context menu (todo: link to context-menu section). Then, depending on whether PasswordMaker knows your master password, or not, it will prompt you for your master password and populate the password box on the site, or just populate the password box on the site.
Again, depending on your settings, the password populated in to the password field of the site will either be an account specific, or a default password.
After PasswordMaker has been installed, you should decide whether you wish to log in to your online account, be it a bank account, a subscription type service, with an account / URL specific password, or a default password. The account specific password will be set up with a URL, so that PasswordMaker knows to use those specific settings for the site with the URL set up.
Of course, PasswordMaker can not and will not know your site specific password, unless you change the password of the site or service to the password generated by PasswordMaker. You do this by logging in to the site in question and select to change the password on that site. Typically, you will supply your old password and then a new password, which you will the have to enter again to confirm the new password. Here's an animated example of this process:
Log-In to an Existing Account
When you visit a site which requires a password, just enter your username and right click on the password box and select PasswordMaker to fill in your password, which is determined by your settings. (todo: discuss CoolKey or link to CoolKey section). Then, when you click on the login button, you will be logged into the site. Here is another animated example:
This button displays the help page.
Advanced Options: Accounts Tab
The left side of the Advanced Options window is identical to the Basic Options dialog, with the exception/addition of the 'Master Password Hash' feature.
The functionality provided by the menus is easily ascertained by simply looking at them, but the most important to note is the File menu, that allows you to:
- Import Settings
- Export Settings
- Print Settings
When Printing your settings, you have the option of including the generated passwords for your local and remote accounts, but be aware - you will be prompted for your master password for each and every account, so if you have a lot, this could be time-consuming and confusing.
ToDo: This dialog/process needs a 'Cancel' option...
2. Master Password Hash
The ability to store the master password hash is a powerful and convenient feature that allows you to verify that the master password you enter when prompted via the master password prompt pop-up window is the same one that was used when you generated the password for the account in question. Here is how it works:
ToDo: Add how it works here
The fact that you can enter the wrong master password is actually indicative of a very subtle yet powerful feature of PasswordMaker that you may not yet have grasped:
- there is nothing preventing you from using more than one master password
Using more than one master password can add greatly to the security provided by PasswordMaker, but doing so also adds a level of complexity that can be confusing. If you choose to do this, you should take some time and define precisely how you will implement it. See this tip for a scenario that will clarify this issue, and will enable you to easily create your own, unique method.
- "I use more than one master password" - Because of the way PasswordMaker works, a mechanism for dealing with whether or not you are using a single master password had to be provided, and is currently implemented with this option.
- Here is how it works:
- If it is unchecked, PasswordMaker will use a 'global hash' for all accounts
- If it is checked, PasswordMaker will use the account-specific hash, if it has been stored
- PasswordMaker will not attempt to verify the master password if:
- It is unchecked and the master password global hash has not been stored on disk (1.6 behavior), or
- It is checked but the selected/triggered account has no hash stored on disk
- You can safely switch between the two 'modes' - meaning, you can safely check and uncheck this option - as doing so does not delete any of the Hashes that have been stored, e.g.:
- if you uncheck this option after having saved some account specific master password hashes, and a Global Hash has been stored, it will be used instead of the account specific hash
- if no Global Hash has been stored, it will do nothing
- if you then re-enable this option, the individual Account Hashes that have been stored will again be used
- Hash status - This indicator simply tells you whether or not the master password hash has been stored for the selected account or not. The possible states, which should be self-evident, are:
- Not stored on disk
- Doesn't Match
Suggested ToDo: Simplify the GUI for this even further by changing it to this:
The button label would be contextual - meaning, it would change between Store and Clear, depending on whether the Selected Account has its master password hash already stored or not.
- Store / Clear Master Password Hash -
3. Make Selection Selector
The select box allows you to work with your Groups and Accounts. All of these actions are also available from the context menu.
When the Accounts tab is selected, there are four buttons directly beneath the tabs. Initially, the only entry shown in the Name column is the Default Options account. The only two buttons that are activated/clickable are the New Group and the Settings buttons.
4. Defaults settings
5. Custom Account Group
6. Custom Account
Advanced Options: Global Settings Tab
Here you'll settings which apply to all of PasswordMaker. Currently, there are three checkboxes and one drop-down:
- 1. Mask Generated Password - when checked, generated passwords are masked with asterisks so that they are not legible to the casual observer
- 2. Hide Master Password Field (number of asterisks) This option causes the master password box to be completely concealed, thereby disabling the casual observer to determine the password length by counting asterisks
- 3. Confirm master password by typing it twice -
- 4. Show all passwords on web pages as cleartext -
- 5. Enable auto-complete on pages that disable it -
- 6. Auto-clear clipbord n seconds after copying it there - this security feature prevents you from having to remember to clear the clipboard of generated passwords. If checked, the clipboard is automatically cleared n seconds after pressing the Copy to Clipboard button, where n is the value entered in the associated input field. However, before clearing the clipboard, PasswordMaker checks that nothing else has been copied there since the generated password. If something has been copied there since then, the clipboard contents are not cleared. This prevents other data in the clipboard from being overwritten
- 7. Show status-bar indicator -
- 8. Action to take when coolkey (or ALT-`) is activated - the four options are:
- 1. Do nothing, which means ... do nothing
- 2. Populate all fields, which means that all fields will be populated
- 3. Populate empty fields only, which means that only empty password fields will be populated
- 4. Clear all fields, which means all the fields on the web page will be cleared
Upload / Download Tab
Special Domains Tab
Some domains mandate the use of subdomains. The most common examples of this are ccTLDs (country code top-level domains), such as .uk. A domain in .uk never exists without a SLD (second-level domain), such as .co.uk.
Some domains even require third-level domains; for example, government departments in Australia must include a regional subdomain (e.g., .nsw for New South Wales) followed by .gov.au. In other words, government departments in New South Wales, Australia, must be in the .nsw.gov.au domain.
Finally, some countries issue domain names in both their ccTLD and in SLDs. Japan is an example: their ccTLD is .jp. They issue domains in both .jp and .co.jp. (see http://jprs.jp and http://jprs.co.jp).
With the myriad possibilities for required subdomains, PasswordMaker can't account for them all. It includes some common ones -- the list of which grows from release to release (the default list). However, you are free to add/remove your own using the Special Domains Dialog. Your customizations to the special domains list are exported when using the Export Preferences feature, and imported when using the Import Preferences feature (providing the file being imported contains special domains). In this way, you can easily transfer customized lists to other PasswordMaker installations.
Accounts: Defaults vs. Custom
The ability to define Custom accounts is one of many things that sets PasswordMaker apart from any other password utility out there, but it can also be a source of confusion for people new to PasswordMaker, so it is necessary to understand the following:
- it is not an either / or question - you can use both the Defaults account (hereinafter just plain old Defaults) and Custom accounts at the same time
- there are really only two good reasons to create a Custom account:
- sites that require settings (username, allowed password characters, etc) that are different from the ones specified in your Defaults (in this case you must create a Custom account for this site to use PasswordMaker with it), and/or
- sites that are of a sensitive nature, like, for example, banking/financial sites, Domain Registrar accounts, and Remote Control accounts like LogMeIn or GoToMyPC. There are others of course, but only you can answer the question of whether or not any given account is sensitive for you.
In the first situation, it is necessary to create a Custom account - there is no other way to specify unique settings for any particular account. In the second situation, it is not necessary to create a Custom account, it is simply a personal preference.
You are encouraged to use the Defaults for all other sites that are of a non-sensitive nature.
Don't misunderstand me. This does not mean that you shouldn't create Custom accounts for every single one of the sites you access - by all means, if you want to, then do so. The important thing to understand is that it isn't necessary to do so in order to use PasswordMaker.
Allow me to elaborate on some ways that some site-specific requirement or limitation might create a situation where you would need to create a Custom account, and some tips that will help to minimize such situations.
In the Defaults settings (on the Extended tab), you can specify a username, which is not only used to log into the site - and which can also be automatically populated into the username field on the login page - but it is also one of the items used to generate your passwords.
However, if one of your sites requires a different username from the one you specified in the Defaults, then you would have to either manually change the username on the login page every time after PasswordMaker populates it (because PasswordMaker would have populated it with the one from the Defaults), or, create a Custom account for this site with the correct username. So, with this in mind:
- tip: For non-sensitive sites for which you want to just use the Defaults, pick something for a username that is almost certain to not be used by anyone else - something not a word, or a word that contains special characters in place of certain letters (example: 'mikemybirthyear' instead of just 'Mike') - this will make using the Defaults much easier and more convenient.
Another example is that some sites impose special limitations/requirements with respect to the number of and/or types of characters that are allowed to be used for Passwords which differ from what you specified in your Defaults. For these sites, you would have to define a Custom Account that reflects the different Settings needed to allow PasswordMaker to work properly with that site. So, with that in mind:
- tip: Use only lowercase letters and numbers for the character set in your Defaults, with a lower number of characters - say, 10. Since you are only using the Defaults for non-sensitive sites, this will still give you reasonably secure passwords for your non-sensitive sites, while allowing you to use the Defaults for most of them.
Hopefully this explains the difference between the Defaults and Custom accounts/settings, and will help you to make an informed decision on when - or even if - to use the Defaults, or to create a Custom account, for any given site.
Super Security Tip
The following is from this thread on the PasswordMaker forums - although it has minor edits for clarity and formatting purposes...
What's the consensus here? Is it better to store on the hard drive or type it out each time? The thing that attracted me to this program in the first place is I did not like how other password programs stored lists of passwords on the hard drive.
This is a good question, but due to its nature, one that each person has to answer for themselves.
The fundamental question is actually very simple - convenience vs. security...
When you store the master password on disk (or in memory), it is stored encrypted - but, obviously, PasswordMaker must itself be able to decrypt the master password - and since PasswordMaker is open-source, that means the decryption code is right there for anyone to see, so it would not be difficult for a capable cracker to write some code to steal your master password if they were able to install their code on your computer.
On the other hand, I have read some posts from people who claim that typing out the master password makes you vulnerable to keyloggers.. So I'm kind of confused.
Understandable, but there are acceptable options, even for those super paranoid folks like us!
Yes, if your computer is compromised with a keylogger, the keylogger could grab your master password - but NOT your generated password(s), because they are not actually typed on your keyboard.
There are different ways to deal with these issues, but to give you some ideas...
One thing you can do - and I highly recommend that you do this, but give it some serious thought, and work out a system first - is to modify the Defaults settings, and the settings for any important Custom accounts (ie, important financial accounts) sites in such a way as it would be difficult to guess how you had modified them, but easily reproducible (by you) if it became necessary. To expand on this, if you find yourself with a need for a lot of Custom accounts, you could use a different account Group for each type of account (which is what I do) - e.g., one for unimportant accounts (like online forums, etc), and one for financial accounts - and create unique settings for each Group, instead of for each Account.
Another way to add another layer of security is to develop a simple yet not easily guessable pattern of adding/replacing characters in your generated passwords that is stored in one place that black hats/crackers haven't figured out how to access yet - your head. For example, you could add a certain character (for example, the '$'), in the 3rd position of every generated password. So, when PasswordMaker populates your password field, you'd have to place your mouse in the field, move the cursor to the 3rd position, and manually enter the '$' character.
Of course, this is also subject to being detected by keyloggers, but you can confound them yet again by inserting the cursor directly where you need it to go with the mouse - but we are getting a tad ridiculous now... ;)
The fact is, the only truly secure computer is one that is not plugged into an electrical outlet. If your computer is compromised by a keylogger, then you have more serious problems you need to deal with.
I guess I'd ask the developers of this program... what do you do? Type it out or store it on the hard drive?
Although I'm not one of the developers, personally, I don't store mine at all, I use a different master password for each account Group. I sat down and worked out a system that I was comfortable with on how to categorize them, and it has worked well for me.
One other dumb question... the FAQ makes it clear... lose your password? Yes, you're screwed... wouldn't that also be the case if you somehow lose your settings?
Yep - which means don't lose them. Suggestions for recovering from a situation where you do lose them, in preferred (most secure) order:
- modify the settings, but in such a way that you could reproduce the modifications from memory, and/or
- write down the modifications you make, and put this information a safe place
- don't modify the settings from the Defaults
- and, of course - always keep good backups of your RDF file
If you are truly paranoid, your head is the safest place (as long as you don't talk in your sleep and your wife/partner doesn't work for the NSA or the IRS or ...), and/or maybe in your Safety Deposit Box at your bank - although this information would be available to law enforcement if they were looking for it. This is actually not a bad idea, for one reason: if you have secret stuff that your loved ones may need access to if something happens to you. This is actually something that has concerned me. My system is such that I can re-create these with ease from memory, but if something happened to me, no one would be able to get into my accounts. Now, I'm sorry to say, I don't have millions stashed away in a secret Panamanian bank, but seriously, if I was using PasswordMaker to protect access to anything of substance, I would do something like this so that my wife could get access to everything.
Multiple Master Passwords How-to
Add tip here
Convert Saved FireFox Passwords
Thanks to Tyrantmizar for this excellent tip...
Using the following steps, you can (relatively) easily change the passwords for sites that you have saved in FireFox's Password Manager to ones generated by PasswordMaker..
- Go to the site that you want to change the password for
- Log in using Firefox's built in password manager
- Go to change your password
- I'm not sure, but I think Firefox will automatically put in your old password into the forms. Usually, there are three fields: 1 for your current password, and 2 for your New Password (the second is simply for confirmation purposes). If firefox doesn't automatically put something in, you're going to have to type it in manually.
- Make sure the New Password fields are empty
- Open PasswordMaker - if you need to create a specific Account for this site, do so now
- Click the Global Settings tab
- Make sure that When Alt` Shortcut is pressed is set to populate empty fields only
- Go back to your Browser change your password page and press Alt` - your PasswordMaker password should automatically be put into the 2 New Password fields
- Test the new password by logging out and back in using PasswordMaker
- Delete the saved password from Firefox's Password Manager.
- Repeat steps 1-11 for each site you want to change the password for
If you are going to be changing many passwords in a single session, and you don't want to have to re-enter your Master Password over and over, just set it to store in memory or store to disk.
Multiple Logins, same Domain, different Sub-directory
This tip is courtesy of Romeo as discussed here in the forums.
Some websites have different login subdirectories for different login types - for example:
- www.example.com/normaluser/ and www.example.com/superuser/ (replace with real world example site)
For sites like this, you can simply create a separate account for each one and specify the entire text of the URL, including the subdirectory portion (ie, /normaluser/) in the URL pattern. This will avoid your having to pick the right account when populating the login information.
See the Firefox / Gecko section in the main FAQ.