Master Password Hint (like Windows logon)

Swifty
2013-07-28
2013-08-17
  • Swifty
    Swifty
    2013-07-28

    Is it worth requesting the addition of an optional Safe Combination hint like you get with your Windows logon?

    My memory is getting worse as I get even older, and when under stress, I can't recall passwords. This is when Password Safe is a godsend, but only if you can remember your safe combination...

    At times like these, having a "hint" button in the Safe Combination prompt would be very welcome.

    Of course, where you'd store such a hint is a problem, since you haven't opened the file at this point...

    I tried to put a hint in the files properties, but for some reason, my Windows7 system isn't letting me add to the files's properties. Is there a way to achieve this?

     
  • Rony Shapiro
    Rony Shapiro
    2013-07-28

    Interesting idea. I can think of a way to implement this using the user preference file (pwsafe.cfg). Of course, the hint will also be visible to an attacker...

    Please submit this as a feature request via
    https://sourceforge.net/p/passwordsafe/feature-requests/new/

    Thanks,

    Rony

     
  • Brittney Smith
    Brittney Smith
    2013-08-17

    Everyone has different "threat model," & security requirements. I don't have a problem w/ hint feature (though, doubt I'd use it). That said, if your DB PW is so simple, that a "hint" will make you remember, it's not a very "secure" PW. Or else, the hint will actually be SEVERAL hints; possibly very specific.

    What hint will spark memory for @&$(?/, or /"#)[-} type characters?
    "Fluffy99" isn't remotely a secure PW, if you're worried.

    If the level of PW used on PWS is just to keep honest folks out, why not write it down? And if away from home (laptop or carry flash drive), have a text file on HDD or flash drive, containing "low security" PWs, that's encrypted w/ a simple PW & using "light weight" zip encryption?

    Or use 7-zip w/ 256 bit (or others) w/ easy to remember PW on the encrypted file? (128 or 256 bit is wasted, using simple PWs)

    Perhaps create PWs, using known techniques, like taking letters of words from (not TOO popular) songs / quotes from books, etc. Add #s (meaningful, but not just B-day, SSN - NEVER SSNs) & convert a couple / few meaningful #s or letters to a special character? Using ONLY B-dates (or converting those to spec. chars.) is TOO easy; use SOME #'s or spec. chars, that are meaningful to you, but others couldn't guess (or look up) easily.

    Simple example (don't use it):
    happy birth day to you. (don't use anything so obvious)
    If your & spouse's B-days are '50 & '49. Convert to spec. chars: %)$(
    Child's B-year is 1980.

    One result: 19HbDtY%)$(80... or, %)$(Hbdty1980

    That's NOT a long / secure PW (hell of lot more secure than "kitty22"), but easy to make longer. It doesn't matter HOW many upper case letters, spec. chars or #s you use - only that the attacker has to use ALL those character sets in their attack.

    They may know SOME of that data about you, but they have to put it ALL together in the CORRECT order.
    * Each character of length added to a PW, increases # of possible combinations EXPONENTIALLY!!
    If one's THAT worried about attacks, they should use MUCH longer, more random PWs.

    Maybe you have 5 cats & use 1st 2 - 3 letters of their 1st names [last name is same as yours :D) ], w/ other techniques mentioned. Mispelling / spelling words backwards, replacing letters w/ look alike / sound alike characters IS NOT secure. It might keep honest folks out. Attack software & dictionaries already have ALL THOSE tricks built in.

    Where did I get these?
    McaLatmW or CoblmFTtstnoF
    Of course, you'd use #'s & spec. Chars. w/ them.

     
    Last edit: Brittney Smith 2013-08-17