From PasswordMaker
Jump to navigationJump to search

This edition of PasswordMaker is a small, lightweight, free (licensed under the LGPL Open Source license), extension for many of the most popular Gecko based web browsers, including: Firefox, SeaMonkey, Mozilla Suite, Flock and Netscape.

It creates unique, secure passwords that are very easy for you, and no one else, to create and use. Nothing is stored anywhere, anytime, so there's nothing to be hacked, lost, or stolen.

Much of the following information is applicable only to the 1.7.x versions of PasswordMaker. If you are using an older version, please upgrade, and then come back here to learn how to take advantage of all of the unique and powerful features PWM has to offer.

The Advanced Usage page still needs a bit of work, but for all intents and purposes, the wiki is now considered stable enough for anyone and everyone to start adding to it.

First Things First

In order to prevent some of the most common errors - and to save you a lot of confusion and frustration - you are strongly encouraged to read this entire page, along with the FAQ, at least once prior to attempting to use PasswordMaker.

Precautions and Caveats

PasswordMaker has two different 'modes' that it can operate in - Basic, and Advanced.

Using PasswordMaker in Basic mode (using only the Basic Options) is very secure, and is the recommended way to start out, but there are certain things you should understand in order to avoid problems - the most common of which is locking yourself out of one of your online accounts.

With this in mind, it is best to:

  • be sure that you have defined an alternate email address for any important accounts, so you will be able to 'reset' or 'recover' your password in the event that you lock yourself out (this is a good thing to do anyway, whether you use PasswordMaker or not)
  • practice a few times on a throw away account, like gmail or yahoo - but the first recommendation still applies
  • start out using PasswordMaker in Basic mode - but first learn the difference between Basic and Advanced modes so that you will know if/when you need to switch to the Advanced mode

Note: PasswordMaker is currently unable to populate Basic HTTP Auth pop-up prompts like this:
Basic http auth.png

Basic and Advanced Modes - Differences

The main difference between the two modes is primarily one of complexity, in the form of the large number of configuration options. We will get into each in detail below, but for now:

  • PasswordMaker uses the concept of Accounts to identify a group of settings that work together to generate a password
  • In Basic mode, there is only one account that matters (referred to as the Defaults account) - so, only one group of settings (referred to as the Defaults settings), that are applied to every site that you log into

- The main advantage of using only the Basic options is simplicity

  • In Advanced mode
    • you can create as many unique accounts as desired, each of which has its own settings that are applied only when that account is used
      • notably you will be able to store the user name that you have on a site, and to pre-fill the user name text box on the site's login page
    • you must specify the URL(s) that identify each account
    • you can specify multiple URLs for any given account, which means:
      • PasswordMaker will use the same settings for all of those sites
      • PasswordMaker will generate the same password for all of those sites
    • you can optionally save the master password hash, which is a very convenient and safe way to verify that you have entered the same master password (when logging into a site) as when you created the password - essentially preventing any failed logins

- The main advantage of using the 'Advanced' options is the ability to customize the way PasswordMaker behaves for different sites/accounts

Password Generation - Parameters and Triggers

Regardless of which mode you are using, PasswordMaker makes it very easy to generate unique passwords for different sites on demand - and can optionally automatically detect when you are on a login page - or via a simple keystroke or toolbar button click - prompt you for the master password, and then populate both the username and password fields.

  • The parameters used to generate any given password are:
    • the contents of the Using Text field, which by default is the URL components you have enabled (the default is to only use the Top- and Second-level Domain) - e.g.,
    • the username, if defined
    • the extended attributes as provided, or modified by you
    • the master password used
  • There are two ways PasswordMaker can be triggered into action:
    • manually, using the ctrl-` key combination, or
    • automatically, if the Auto-populate option is enabled
      • if Auto-populate is enabled for the Defaults account, it can be selectively disabled for individual custom accounts, or
      • if Auto-populate is disabled for the Defaults account, it can be selectively enabled for individual custom accounts
    • if there is no password field detected on the current web page, PasswordMaker will do nothing

When PasswordMaker is triggered, it compares the currently detected URL pattern - which consists of only the components enabled in the Defaults settings - against the defined URL patterns for all of your custom accounts, and

  • if a match is not found in any custom accounts that you have defined, then the Defaults settings will be used
  • if only one account contains a pattern match, the Master Password Prompt window is opened
  • if more than one account contains a pattern match, the Account Selection window opens first, allowing you to select which Account you want to use, and then the Master Password Prompt window is opened

Installation and Initial Configuration

For Firefox, SeaMonkey, Mozilla Suite and Netscape, the installation is done automatically from
Beta Releases can be downloaded from here
Older Releasescan be downloaded from here

When the installation is complete, a restart of your browser is required to make PasswordMaker available for use. Once you have successfully installed PasswordMaker, there are three ways to open it:

  • the PasswordMaker option from the Tools sub-menu:


  • the Toolbar icon (golden ring):


  • the <ctrl> ` shortcut key (almost always above the 'Tab' key) which looks like this on en-US keyboards: ` - key

For Mozilla and Netscape users, the toolbar icon is installed by default. For Firefox users, the toolbar icon must be manually added by using the "View -> Toolbars -> Customize" menu, and then dragging the golden ring icon on to the toolbar.

TODO: need Flock installation instructions...

Once you've installed the extension and configured the Toolbar to your liking, you can Open PasswordMaker by either clicking on the main toolbar button (the golden ring are presented with the Basic Options screen:

Basic Mode / Options

Basic options-pointers.png

Here we describe the textboxes and buttons on the Basic Options dialog.

1. Master Password

Your ONE "password to rule them all". This password, when combined with a URL (or whatever text string you choose), hash algorithm, optional l33t-speak, username, and counter, is used to generate unique, site-specific passwords, as explained in the introduction.

Note: the reference to 'One' master password is more symbolic than anything, as there is nothing to prevent you from using 2, 5, or as many different master passwords as you like - although that kind of defeats the purpose of PasswordMaker, which is to make things simpler, right?

2. Store Master Password

Once you have entered a master password, you can click in this box and be presented with three options: Basic-store-mpw-options.png

  • Not at all - the master password is not stored anywhere at any time (memory or disk). This is the most secure option, but also the least convenient because you are prompted to enter the master password everytime a password is generated.
  • In memory - the master password is stored encrypted in the browser's memory but not on disk. This option provides a reasonable trade-off between security and convenience. You won't be prompted to enter the master password again until all browser instances have closed (disposing memory contents), and the browser is re-opened. The master password is encrypted in memory so that if it's written to disk by the operating system as part of a swap file/paging file, it can't easily be decrypted.
  • Store master password on disk and in memory - the master password is stored encrypted on the local hard drive and in memory. This option is the least secure, but the most convenient. You won't ever be prompted to enter the master password when using this option. Note: although the encryption used to store the master password is strong, the encryption/decryption key is also stored on your local hard drive. This makes decryption of the master password relatively simple. You should not use this option unless either (a) you are the only person with access to the hard drive, or (b) you are comfortable with the master password possibly being decrypted by others.

To erase the master password and encryption key from disk and memory, select the Not at all option, or simply clear the master password field from either the Tools sub-menu or the context menu:

3. Using Text

By default, this shows only the URL components of the current URL being used to generate the password, but you can change this to anything you want.


4. Generated Password

Here you see the generated password. It'll be shown as plain text, or encrypted depending on your setting in the 'Global Settings' tab.


5. Copy Generated Password to Clipboard

This button copies the generated password to the clipboard where it remains for the amount of time specified amount in the Advanced Options dialog (10 seconds by default).

6. Advanced Options

Clicking here will switch to the Advanced mode/options.


7. Close

The Close button closes the current dialog.

Using PasswordMaker In 'Basic' Mode

There are three ways that you will use PasswordMaker from this point forward (assuming you stick with it - and please do - it is well worth the effort - once you 'get it', you'll never know how you lived without it):

Without PasswordMaker, when you go to any site that requires a username and password, you would manually type in your username, then your password, then click the 'Login' button (or sometimes you can just hit the Enter key).

You will still have to do this for each site that you use, in order to convert the site to work properly with PasswordMaker - but only one more time. From that time forward, you will be able to use PasswordMaker to populate those fields for you, quickly and securely, only having to remember your master password.

As was suggested earlier, please choose some non-essential sites to do first, and make sure that you have properly set up an alternate email address, so that you can unlock the account if you inadvertently lock yourself out of it.

So, to get started, either:

  • click here and print out the page that opens, so that you have these full instructions for changing your password handy, or
  • open the site you will be using in a new browser tab, and flip between the two sites that way
  • follow the instructions for changing your password to one that PasswordMaker generates

Generate Password for a New Account

Password Change Procedure

When you go to a site which requires a password, PasswordMaker's behavior depends on the settings. It can auto-populate the password field or, if you right click on the password field, you can select PasswordMaker in the context menu (todo: link to context-menu section). In either case, if PasswordMaker does not know your master password, it will prompt you for it. Once PasswordMaker has your master password, it will populate the password field for you. The generated password could be account specific or based on the default account settings, depending upon how you have things configured.

Of course, PasswordMaker cannot know the current password for a site (or service) if you didn't use PasswordMaker to create it. You must change the password at that site (or service) to the password generated by PasswordMaker so that PasswordMaker can provide it thereafter. Just log into the site (or service), navigate to the change password form, enter your old password, ask PasswordMaker to generate a password for that site, and put it in the new password and confirmation fields. Here's an animated example of this process:

<swf width="663" height="358">/images/4/43/ChangePasswordDemo.swf</swf>

Log Into an Existing Account

When you visit a site which requires a password, just enter your username, right click on the password box, and select PasswordMaker. If you have not saved your master password, PasswordMaker will ask you for it. Then, PasswordMaker will generate a password for that site, based upon your settings, and populate the password field with your password. (todo: discuss CoolKey or link to CoolKey section). Just click on the log in button to log into the site as usual.

Here is a video showing this process in action: <swf width="453" height="456">/images/b/ba/Passwordmaker_login.swf</swf>


This button displays the help page.