FAQ

From PasswordMaker
Revision as of 12:10, 29 August 2007 by Tanstaafl (talk | contribs) (New page: == If someone gets my master password, can't he determine all of my generated passwords? == No. There are ten other variables he would need for each account. They are:<br> * URL * charact...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

If someone gets my master password, can't he determine all of my generated passwords?

No. There are ten other variables he would need for each account. They are:

  • URL
  • character set
  • which of nine hash algorithms was used
  • date counter (if any)
  • username (if any)
  • password length
  • password prefix (if any)
  • password suffix (if any)
  • which of nine l33t-speak levels was used
  • when l33t-speak was applied (if at all)

Probably the most interesting of these is character set because it gives you the flexibility to determine precisely which characters can and can't be included in generated passwords.

Can someone "unscramble" my generated passwords to determine my master password?

This is a common complaint heard about hashed-based password systems (for example, see page two of A Convenient Method for Securely Managing Passwords). The complaint simply doesn't hold water with PasswordMaker because PasswordMaker adds nine other variables not used in the traditional password=master+url formula. Those nine variables create an enormous search space which would take thousands of years to search, even using a distributed network of one million modern PCs. The nine variables are:

  • character set
  • which of nine hash algorithms was used
  • date counter (if any)
  • username (if any)
  • password length
  • password prefix (if any)
  • password suffix (if any)
  • which of nine l33t-speak levels was used
  • when l33t-speak was applied (if at all)

Of course, the URLs of the sites must also be known since they are used in password calculation. Probably the most interesting of these variables is character set because it gives you the flexibility to determine precisely which characters can and can't be included in generated passwords.

Where is my master password stored?

Nowhere, unless you choose the option Store Master Password on disk and in memory (encrypted). If you choose this option, your master password is stored using 256-bit strong encryption in %ProfileDirectory%/passwordmaker.rdf. If you don't know where your profile directory is, look here. For further protection you can instruct your operating system to encrypt passwordmaker.rdf. Instructions on how to do this with Windows XP/2000/NT are here. Instructions for Mac OS/X Tiger are here.

Retrieved from "https://passwordmaker.org/index.php?title=FAQ&oldid=218"