Mobile edition problem (HMAC-SHA-256)

[bumbleos]

Hi,

I Just started using Password Maker about 1 month ago, and love it. Since I am so new, if I am totally off, go easy on me. Everything so far has worked beyond perfect, I could not be happier. I just started playing with the downoadable java script, which is cool, then the Mobile Edition (which I guess is also the command line edition too). Both are great, and fast, however, here is my observation:

The mobile edition is missing the algorithm "HMAC-SHA-256 Version 1.5.1." Well let me clarify that, the mobile edition does not list that algorithm with it's full name. Rather the "HMAC-SHA-256" is actually ver 1.5.1 and the actual algorithm "HMAC-SHA-256" is missing all-together. I ran into this when a site I used Password Maker for, and used HMAC-SHA-256, the mobile edition kept returning a bad password, upon further investigation, I believe that it was missing the 1.5.1 version and that HMAC-SHA-256 was not working or had a bug. Then by accident I discovered that HMAC-SHA-256 is actually version 1.5.1.

Since I used HMAC-SHA-256 on a few sites, I was looking at changing them to a different algorithm so I could also retrieve my passwords with the Mobile Edition. However, I though I would post here in case this issue/bug/feature is not known. If this is by design, then I am sorry to post a problem.

Thank you for the wonderful software.

Bumble OS

[Miquel 'Fire' Burns]

If I remember correctly, the PHP editions (mobile and command line) and the command line edition made with C++ (if it's using Javascript) were last updated before the bug in what is now known as HMAC-SHA-256 Version 1.5.1 in the Firefox was fixed.

Also, the nature of the bug in HMAC-SHA-256 Version 1.5.1 makes it impossible to reproduce in other languages, so some editions may never support it, so be very careful about using it.

I'll see about releasing updated versions of the editions that support the correct version of HMAC-SHA-256 if they happen to support version 1.5.1

[bumbleos]

If I understand you correctly then the "bug" is with HMAC-SHA-256 1.5.1, and the complexity or buggiesness of implementing version 1.5.1 in different languages? If that is correct, then the hard part is already done. Because 1.5.1 is already correctly implemented in Firefox plugin, and Password Maker online version and the mobile edition. All that we are missing is HMAC-SHA-256 (non version 1.5.1).

As it stands right now, here is how the different "editions" correspond concerning 1.5.1:
FF HMAC-SHA-256 1.5.1 = OL HMAC-SHA-256 1.5.1 = ME HMAC-SHA-256

Concerning HMAC-SHA-256:
FF HMAC-SHA-256 = OL HMAC-SHA-256 = ME N/A (not currently supported or implemented)

Notes for abbreviations and version numbers used
FF = Firefox Plugin 1.7.2 (addons.mozilla.org/en-US/firefox/addon/469)
OL = Online version 2.5? (passwordmaker.org/Javascript)
ME = Mobile Edition 1.4.1 (http://passwordmaker.org/PHP_/_Mobile)

So should I avoid using HMAC-SHA-256 because not available in Mobile Edition or should I avoid HMAC-SHA-256 1.5.1 even though it is currently available, but because of problems in past, which hint at future bugs/incompatibilities? Thank you for the quick reply.

BumbleOS

[Miquel 'Fire' Burns]

I would use HMAC-SHA-256, and not the 1.5.1 one. I should have a new release of the PHP one by tomorrow, if not tonight.

[bumbleos]

Wow, wonderful. You've answered all my questions, thanks again.

[Miquel 'Fire' Burns]

I released a new version.

[bumbleos]

I just downloaded it. It works perfect, HMAC-SHA-256 is exactly what it should be. Thank you, thank you, thank you. I can't believe how fast you took care of that. I don't know that I can say enough. Amazing.

[Eric H. Jung]

miquel == the man