Password Maker supports both of those scenarios. Check out their FAQ. That said, I would advise against using Password Maker.
I've just had a quick browse of the source and the software uses your master password as direct key material for their HMAC algorithms. This is a direct violation of HMACs security assumptions (specifically, that the key derivation function is a pseudo-random function). These sorts of errors make me nervous regarding the general security posture of the application. If you're still thinking about PasswordMaker (or already using it), the default settings are quite weak ( http://passwordmaker.sourceforge.net/help/account-settings.xhtml). I would advise altering these settings to the following: - use the SHA256 algorithm - increase the default generated password length to at least 12, if not 16 - update the default character set to include symbols This will decrease the chance that a vulnerable service (eg facebook) is retaining a stored hash which can be trivially brute forced using oclhashcat and 8 GPUs. -- Ryan Schipper On 19 December 2012 10:22, Fabrizio Giudici <[email protected]>wrote: > On Tue, 18 Dec 2012 23:30:30 +0100, clay <[email protected]> wrote: > > Every recommendation is a system based on some secure server storing >> passwords. >> >> How about hash systems? I use http://passwordmaker.org/ >> >> You only need to remember one password, the hash system generates new >> passwords for every new site, and there is no server-storage involved. >> Nothing to hack, protect, or lose access to. >> > > I didn't know passwordmaker and I'll have a deeper look at it in the next > days. In the past I've thought of a similar approach, but with some doubts: > > 1. In case one password is compromised (e.g. by eavesdropping) you have to > change the password and give up with this approach, at least for the > compromised site. > 2. Sometimes the URL might change. For instance, one of my banks > introduced a redesigned website. The original URL was www.bank.it, for > some time it redirected to new.bank.it (transitory period in which the > original website was still available). This would have caused at least some > annoyance (forced to change the password) at least temporarily. > > Still, it is of some interest. > > > -- > Fabrizio Giudici - Java Architect @ Tidalwave s.a.s. > "We make Java work. Everywhere." > http://tidalwave.it/fabrizio/**blog <http://tidalwave.it/fabrizio/blog> - > [email protected] > > -- > You received this message because you are subscribed to the Google Groups > "Java Posse" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to javaposse+unsubscribe@** > googlegroups.com <javaposse%[email protected]>. > For more options, visit this group at http://groups.google.com/** > group/javaposse?hl=en <http://groups.google.com/group/javaposse?hl=en>. > > -- You received this message because you are subscribed to the Google Groups "Java Posse" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
