Difference between revisions of "FAQ"

From PasswordMaker
Jump to navigationJump to search
Line 52: Line 52:
  
 
<p>Keyloggers work by tracing every key typed on the keyboard. With PasswordMaker, you never type anything but your master password (and if you choose <i>Store Master Password on disk and in memory (encrypted)</i>, you only type that <b>once</b>). The <b>real</b> passwords (generated ones) are never typed, so keyloggers never detect them!</p>
 
<p>Keyloggers work by tracing every key typed on the keyboard. With PasswordMaker, you never type anything but your master password (and if you choose <i>Store Master Password on disk and in memory (encrypted)</i>, you only type that <b>once</b>). The <b>real</b> passwords (generated ones) are never typed, so keyloggers never detect them!</p>
 +
 +
== How does PasswordMaker defeat phishing attacks? ==
 +
 +
<p>Most phishing attacks occur when you navigate to a URL which appears to be that of a site that you trust, but actually is owned by an attacker. For example, you might navigate to http://www.bc1.lu/ instead of the Bank of Luxembourg's legimite URL, http://www.bcl.lu/. The only difference between these two URLs is the lower-case letter <b>L</b> (used by the legitimite site) and the number <b>1</b> (used by the deceptive site). The attacker's intent is to get you to enter your username/password credentials on his deceptive site. He can then use those credentials on the legitimite site to do nefarious things.</p>
 +
<p>If you use PasswordMaker, you'll be safe and secure. This is because the password it generates is based on the URL to which you've navigated. The password generated at a deceptive site is completely different than the one generated at a legitimite site (because their URLs differ, even if by one character). You might still be fooled into thinking http://www.bc1.lu/ is the Bank of Luxembourg, but the attacker will get the wrong password if you use PasswordMaker.</p>

Revision as of 13:16, 29 August 2007

If someone gets my master password, can't he determine all of my generated passwords?

No. There are ten other variables he would need for each account. They are:

  • URL
  • character set
  • which of nine hash algorithms was used
  • date counter (if any)
  • username (if any)
  • password length
  • password prefix (if any)
  • password suffix (if any)
  • which of nine l33t-speak levels was used
  • when l33t-speak was applied (if at all)

Probably the most interesting of these is character set because it gives you the flexibility to determine precisely which characters can and can't be included in generated passwords.

Can someone "unscramble" my generated passwords to determine my master password?

This is a common complaint heard about hashed-based password systems (for example, see page two of A Convenient Method for Securely Managing Passwords). The complaint simply doesn't hold water with PasswordMaker because PasswordMaker adds nine other variables not used in the traditional password=master+url formula. Those nine variables create an enormous search space which would take thousands of years to search, even using a distributed network of one million modern PCs. The nine variables are:

  • character set
  • which of nine hash algorithms was used
  • date counter (if any)
  • username (if any)
  • password length
  • password prefix (if any)
  • password suffix (if any)
  • which of nine l33t-speak levels was used
  • when l33t-speak was applied (if at all)

Of course, the URLs of the sites must also be known since they are used in password calculation. Probably the most interesting of these variables is character set because it gives you the flexibility to determine precisely which characters can and can't be included in generated passwords.

Where is my master password stored?

Nowhere, unless you choose the option Store Master Password on disk and in memory (encrypted). If you choose this option, your master password is stored using 256-bit strong encryption in %ProfileDirectory%/passwordmaker.rdf. If you don't know where your profile directory is, look here. For further protection you can instruct your operating system to encrypt passwordmaker.rdf. Instructions on how to do this with Windows XP/2000/NT are here. Instructions for Mac OS/X Tiger are here.

Where are the generated passwords stored?

Nowhere. The generated passwords are calculated on-the-fly as they are needed. The RAM used to store and calculate the generated passwords is proactively cleared to prevent passwords from being stored in a swap file/virtual memory/paging file.

Where is account information and other settings stored?

Everything is stored in %ProfileDirectory%/passwordmaker.rdf. If you don't know where your profile directory is, look here.

How do I know PasswordMaker isn't sending my passwords to you without my knowledge?

Although you can read the source code to determine this for yourself, there's an easier way. Install a packet sniffer and use PasswordMaker to generate some passwords. You won't see any traffic to or from PasswordMaker -- ever. It never connects to the internet. Two popular packet sniffers are snort (for Unix/Linux/OSX) and ipInterceptor (for Windows). Both tools reveal *all* network traffic, not just HTTP.

If I don't want to change all of my passwords, is PasswordMaker still a good choice?

Yes. PasswordMaker provides a secure method for encrypted storage of a specific, user-provided password for a custom Account. This way you can take advantage of PasswordMaker's other features (such as form completion) while still choosing your own passwords.

To set up a URL/site in this manner, simply go to the login page for the Account that you want to save the password for, create a new (or open the existing) Account for this URL/site, change to Advanced Options> (if you are not already there), click the Advanced Auto-Populate tab, click inside the password field on the login page, click inside the Field Value field, enter your current password, then click the Add> button (just above the list-box for fields), and last but not least, if desired, check Auto-populate username and password fields for sites that contain this URL.

How does PasswordMaker defeat keyloggers?

Keyloggers work by tracing every key typed on the keyboard. With PasswordMaker, you never type anything but your master password (and if you choose Store Master Password on disk and in memory (encrypted), you only type that once). The real passwords (generated ones) are never typed, so keyloggers never detect them!

How does PasswordMaker defeat phishing attacks?

Most phishing attacks occur when you navigate to a URL which appears to be that of a site that you trust, but actually is owned by an attacker. For example, you might navigate to http://www.bc1.lu/ instead of the Bank of Luxembourg's legimite URL, http://www.bcl.lu/. The only difference between these two URLs is the lower-case letter L (used by the legitimite site) and the number 1 (used by the deceptive site). The attacker's intent is to get you to enter your username/password credentials on his deceptive site. He can then use those credentials on the legitimite site to do nefarious things.

If you use PasswordMaker, you'll be safe and secure. This is because the password it generates is based on the URL to which you've navigated. The password generated at a deceptive site is completely different than the one generated at a legitimite site (because their URLs differ, even if by one character). You might still be fooled into thinking http://www.bc1.lu/ is the Bank of Luxembourg, but the attacker will get the wrong password if you use PasswordMaker.