Mark Berger wrote:
MCBastos wrote:
Interviewed by CNN on 01/12/2012 19:05, Mark Berger told the world:
SM 2.14.1
Win XP SP 3
Is there a way to set up the master password function so it ONLY asks
for it when you want to 'Show Passwords' using the Password Manager?
I tried turning on Master Passwords "The first time it is needed", but
it then asks for it every time I turn on SM, and twice when I want to
manage passwords. It seems like it's either all the time, or never,
making it difficult to use it just when you only want to protect your
passwords.
OK. You seem to have a somewhat unclear idea about what's involved in
protecting your passwords.
If you choose a "master password," then your entire password database is
ENCRYPTED using that master password. Logically, if you want to read
that database, you will need the master password.
Now, of course Seamonkey *cannot* save your master password on disk.
Doing so would defeat the entire idea of encrypting passwords in the
first place: all an attacker would have to do is to look for the master
password on disk.
(Since Seamonkey is an open source product, there's no effective way to
"hide" that master password -- if Seamonkey can get to it, anybody else
can too, since the method is all documented in the source code. By the
way, even if Seamonkey were a closed-source product such as IE or Opera,
hiding the password would help very little anyway. "Security by
obscurity" is an outmoded procedure, because it has been shown time and
again that it doesn't work).
So, no, there's no way to set it up to ask for the master password only
when you want to "show passwords." Anything that did that would be
essentially giving you no protection at all, while deceiving you into
*thinking* you were protected -- which is even more dangerous, because
you might entrust something important to a bad security solution.
Cryptographically, it would be the equivalent of locking your front door
and hiding the key under the doormat.
OK, I understand better now how the master password works. I can see
why SM would ask for the MP when it starts up, so it can decrypt the
passwords when needed. But then it has the MP, so why does it have to
ask for it so many times again? I thought that was the purpose of 'The
first (implied: and only) time it is needed'. SM would save the MP for
use during that session, then erase it when you exit.
Or is there even more that I don't understand?
This question goes straight to the heart of the bug I wrote - bug 72492
- in that SM essentially appears to ignore the the "first time required"
Pref setting. If I open SM and just let it sit there, on a blank page
without even navigating anywhere, it will eventually ask for my
Master...even though I have my Pref set to "first time". After that it
continually prompts me at random intervals...though I've read here that
if it asks once and you Cancel it will continue to ask through the
session, required or not. Which sounds like yet another bug to me.
And even then, in contradiction to "SM doesn't/can't store your Master"
during browsing I *do* only have to enter my Master Password once -
after that any page I navigate to uses the fill from my Stored Passwords
list...so SM must be cashing the unlock key somewhere, at least for the
session. It has to be.
All of the above makes sense for use of the Manager (or maybe not,
really) seems a bit contradictory if you look at SM operation on the whole.
--
- Rufus
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
