MCBastos wrote:
Interviewed by CNN on 01/12/2012 19:05, Mark Berger told the world:
SM 2.14.1
Win XP SP 3
Is there a way to set up the master password function so it ONLY asks
for it when you want to 'Show Passwords' using the Password Manager?
I tried turning on Master Passwords "The first time it is needed", but
it then asks for it every time I turn on SM, and twice when I want to
manage passwords. It seems like it's either all the time, or never,
making it difficult to use it just when you only want to protect your
passwords.
OK. You seem to have a somewhat unclear idea about what's involved in
protecting your passwords.
If you choose a "master password," then your entire password database is
ENCRYPTED using that master password. Logically, if you want to read
that database, you will need the master password.
Now, of course Seamonkey *cannot* save your master password on disk.
Doing so would defeat the entire idea of encrypting passwords in the
first place: all an attacker would have to do is to look for the master
password on disk.
(Since Seamonkey is an open source product, there's no effective way to
"hide" that master password -- if Seamonkey can get to it, anybody else
can too, since the method is all documented in the source code. By the
way, even if Seamonkey were a closed-source product such as IE or Opera,
hiding the password would help very little anyway. "Security by
obscurity" is an outmoded procedure, because it has been shown time and
again that it doesn't work).
So, no, there's no way to set it up to ask for the master password only
when you want to "show passwords." Anything that did that would be
essentially giving you no protection at all, while deceiving you into
*thinking* you were protected -- which is even more dangerous, because
you might entrust something important to a bad security solution.
Cryptographically, it would be the equivalent of locking your front door
and hiding the key under the doormat.
OK, I understand better now how the master password works. I can see
why SM would ask for the MP when it starts up, so it can decrypt the
passwords when needed. But then it has the MP, so why does it have to
ask for it so many times again? I thought that was the purpose of 'The
first (implied: and only) time it is needed'. SM would save the MP for
use during that session, then erase it when you exit.
Or is there even more that I don't understand?
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
