Accounts: Defaults vs. Custom
The ability to define Custom accounts is one of many things that sets PasswordMaker apart from any other password utility out there, but it can also be a source of confusion for people new to PasswordMaker, so it is necessary to understand the following:
- it is not an either / or question - you can use both the Defaults account (hereinafter just plain old Defaults) and Custom accounts at the same time
- there are really only two good reasons to create a Custom account:
- sites that require settings (username, allowed password characters, etc) that are different from the ones specified in your Defaults (in this case you must create a Custom account for this site to use PasswordMaker with it), and/or
- sites that are of a sensitive nature, like, for example, banking/financial sites, Domain Registrar accounts, and Remote Control accounts like LogMeIn or GoToMyPC. There are others of course, but only you can answer the question of whether or not any given account is sensitive for you.
In the first situation, it is necessary to create a Custom account - there is no other way to specify unique settings for any particular account. In the second situation, it is not necessary to create a Custom account, it is simply a personal preference.
You are encouraged to use the Defaults for all other sites that are of a non-sensitive nature.
Don't misunderstand me. This does not mean that you shouldn't create Custom accounts for every single one of the sites you access - by all means, if you want to, then do so. The important thing to understand is that it isn't necessary to do so in order to use PasswordMaker.
Allow me to elaborate on some ways that some site-specific requirement or limitation might create a situation where you would need to create a Custom account, and some tips that will help to minimize such situations.
In the Defaults settings (on the Extended tab), you can specify a username, which is not only used to log into the site - and which can also be automatically populated into the username field on the login page - but it is also one of the items used to generate your passwords.
However, if one of your sites requires a different username from the one you specified in the Defaults, then you would have to either manually change the username on the login page every time after PasswordMaker populates it (because PasswordMaker would have populated it with the one from the Defaults), or, create a Custom account for this site with the correct username. So, with this in mind:
- tip: For non-sensitive sites for which you want to just use the Defaults, pick something for a username that is almost certain to not be used by anyone else - something not a word, or a word that contains special characters in place of certain letters (example: 'mikemybirthyear' instead of just 'Mike') - this will make using the Defaults much easier and more convenient.
Another example is that some sites impose special limitations/requirements with respect to the number of and/or types of characters that are allowed to be used for Passwords which differ from what you specified in your Defaults. For these sites, you would have to define a Custom Account that reflects the different Settings needed to allow PasswordMaker to work properly with that site. So, with that in mind:
- tip: Use only lowercase letters and numbers for the character set in your Defaults, with a lower number of characters - say, 10. Since you are only using the Defaults for non-sensitive sites, this will still give you reasonably secure passwords for your non-sensitive sites, while allowing you to use the Defaults for most of them.
Hopefully this explains the difference between the Defaults and Custom accounts/settings, and will help you to make an informed decision on when - or even if - to use the Defaults, or to create a Custom account, for any given site.
Super Security Tip
The following is from this thread on the PasswordMaker forums - although it has minor edits for clarity and formatting purposes...
What's the consensus here? Is it better to store on the hard drive or type it out each time? The thing that attracted me to this program in the first place is I did not like how other password programs stored lists of passwords on the hard drive.
This is a good question, but due to its nature, one that each person has to answer for themselves.
The fundamental question is actually very simple - convenience vs. security...
When you store the master password on disk (or in memory), it is stored encrypted - but, obviously, PasswordMaker must itself be able to decrypt the master password - and since PasswordMaker is open-source, that means the decryption code is right there for anyone to see, so it would not be difficult for a capable cracker to write some code to steal your master password if they were able to install their code on your computer.
On the other hand, I have read some posts from people who claim that typing out the master password makes you vulnerable to keyloggers.. So I'm kind of confused.
Understandable, but there are acceptable options, even for those super paranoid folks like us!
Yes, if your computer is compromised with a keylogger, the keylogger could grab your master password - but NOT your generated password(s), because they are not actually typed on your keyboard.
There are different ways to deal with these issues, but to give you some ideas...
One thing you can do - and I highly recommend that you do this, but give it some serious thought, and work out a system first - is to modify the Defaults settings, and the settings for any important Custom accounts (ie, important financial accounts) sites in such a way as it would be difficult to guess how you had modified them, but easily reproducible (by you) if it became necessary. To expand on this, if you find yourself with a need for a lot of Custom accounts, you could use a different account Group for each type of account (which is what I do) - e.g., one for unimportant accounts (like online forums, etc), and one for financial accounts - and create unique settings for each Group, instead of for each Account.
Another way to add another layer of security is to develop a simple yet not easily guessable pattern of adding/replacing characters in your generated passwords that is stored in one place that black hats/crackers haven't figured out how to access yet - your head. For example, you could add a certain character (for example, the '$'), in the 3rd position of every generated password. So, when PasswordMaker populates your password field, you'd have to place your mouse in the field, move the cursor to the 3rd position, and manually enter the '$' character.
Of course, this is also subject to being detected by keyloggers, but you can confound them yet again by inserting the cursor directly where you need it to go with the mouse - but we are getting a tad ridiculous now... ;)
The fact is, the only truly secure computer is one that is not plugged into an electrical outlet. If your computer is compromised by a keylogger, then you have more serious problems you need to deal with.
I guess I'd ask the developers of this program... what do you do? Type it out or store it on the hard drive?
Although I'm not one of the developers, personally, I don't store mine at all, I use a different master password for each account Group. I sat down and worked out a system that I was comfortable with on how to categorize them, and it has worked well for me.
One other dumb question... the FAQ makes it clear... lose your password? Yes, you're screwed... wouldn't that also be the case if you somehow lose your settings?
Yep - which means don't lose them. Suggestions for recovering from a situation where you do lose them, in preferred (most secure) order:
- modify the settings, but in such a way that you could reproduce the modifications from memory, and/or
- write down the modifications you make, and put this information a safe place
- don't modify the settings from the Defaults
- and, of course - always keep good backups of your RDF file
If you are truly paranoid, your head is the safest place (as long as you don't talk in your sleep and your wife/partner doesn't work for the NSA or the IRS or ...), and/or maybe in your Safety Deposit Box at your bank - although this information would be available to law enforcement if they were looking for it. This is actually not a bad idea, for one reason: if you have secret stuff that your loved ones may need access to if something happens to you. This is actually something that has concerned me. My system is such that I can re-create these with ease from memory, but if something happened to me, no one would be able to get into my accounts. Now, I'm sorry to say, I don't have millions stashed away in a secret Panamanian bank, but seriously, if I was using PasswordMaker to protect access to anything of substance, I would do something like this so that my wife could get access to everything.
Multiple Master Passwords How-to
Add tip here
Convert Saved FireFox Passwords
Thanks to Tyrantmizar for this excellent tip...
Using the following steps, you can (relatively) easily change the passwords for sites that you have saved in FireFox's Password Manager to ones generated by PasswordMaker..
- Go to the site that you want to change the password for
- Log in using Firefox's built in password manager
- Go to change your password
- I'm not sure, but I think Firefox will automatically put in your old password into the forms. Usually, there are three fields: 1 for your current password, and 2 for your New Password (the second is simply for confirmation purposes). If firefox doesn't automatically put something in, you're going to have to type it in manually.
- Make sure the New Password fields are empty
- Open PasswordMaker - if you need to create a specific Account for this site, do so now
- Click the Global Settings tab
- Make sure that When Alt` Shortcut is pressed is set to populate empty fields only
- Go back to your Browser change your password page and press Alt` - your PasswordMaker password should automatically be put into the 2 New Password fields
- Test the new password by logging out and back in using PasswordMaker
- Delete the saved password from Firefox's Password Manager.
- Repeat steps 1-11 for each site you want to change the password for
If you are going to be changing many passwords in a single session, and you don't want to have to re-enter your Master Password over and over, just set it to store in memory or store to disk.
Multiple Logins, same Domain, different Sub-directory
This tip is courtesy of Romeo as discussed here in the forums.
Some websites have different login subdirectories for different login types - for example:
- www.example.com/normaluser/ and www.example.com/superuser/ (replace with real world example site)
For sites like this, you can simply create a separate account for each one and specify the entire text of the URL, including the subdirectory portion (ie, /normaluser/) in the URL pattern. This will avoid your having to pick the right account when populating the login information.