Rated 5 out of 5 stars

by K Mitchnik on Dec. 3, 2009 · permalink

A security problem with Firefox's password manager is that its kept locally, albeit secured, together with a username and its URL. Thus, the file can be copied, the encrypted files extracted, and because no limits can be imposed on examining a file, brute force decryption methods can be made indefinitely until a master password is found, such as with the freeware program, FireMaster. As more financial institutions go online, the benefit for the work involved makes it increasingly more lucrative for a professional hacker, and the losses great for a user. A simple way to insure best security is to generate an NSA or NIST quality password that is never stored, but used as needed, and that some way can be made to easily remember such as password.

This app does such a thing reliably, including using variables to increasingly confound the password, while still maintaining ease in remembering a password. The program is very flexible and covers many possible ways to use a master password, username and password combination, but with a price, its requires one to read the manual in detail to understand what is being done and what the many fields, and options, that are available in this app.

For a simple general use, this app has a basic mode, which uses a strong cipher generator. But many older websites limit the total characters for a password, or only take alphanumerics, or a limited number of symbols, and few allow the full unicode set including international characters. Thus, the basic mode can generate unsupported passwords for a particular site. If one customized websites as needed, the user has to remember specific customizations for each websites unless its exported in a configuration file that is then uploaded to a 'secret' location to be used on other computers elsewhere.

Luckily, I've found a way to use this app with limited customization that's easy to rmember.

Users should know that many password generator apps do not generate passwords that would not meet standards set by NIST document SP800-63V1_0_2.pdf or reduce their security by storing important local variables with FireFox. Many apps also do not specify which hash algorithm was used to create their passwords, and thus, its not pedigreed by the quality of documentation and analysis given such algorithm. One also cannot be sure if a truly secure hash was implemented properly, or that a backdoor has been built into the application somewhere.

So far, PasswordMaker passes my muster and appears to be one of the most secure methods for making quality passwords. It suffers a tad from its rich but very tech laden, user interface that could use a little more cosmetics to appeal to general users. Its fine for me.