Hi,
Details? Is this someting that will affect all of us, or was it unique to only certain sites?
It affects all sites. The problem has to do with empty/null values for certain account settings. The best way to describe the problem is through an example.
Go
here to register for a new account on the Gentoo forums. Don't change PasswordMaker in any way except to use the master password
123. The Advanced Options dialog uses the following settings:
hashAlgorithm=md5
key=123
data=gentoo.org
whereToUseL33t=off
l33tLevel=1
passwordLength=8
charset=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`~!@#$%
^&*()_-+={}|[]\:";'<>?,./
prefix=""
suffix=""
This generates the password
D_WMNrV[Now right-click on the password field on the webpage and select
PasswordMaker->Populate With PasswordMaker. When prompted for the master password, again enter
123. Go to PasswordMaker's Global Settings tab and check
Show all passwords on web pages as clear text. Now look at the password field which was previously asterisks. You'll see
DEk~eO?e. The settings used this time were:
hashAlgorithm=md5
key=123
data=gentoo.orgnullnull
whereToUseL33t=off
l33tLevel=1
passwordLength=8
charset=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`~!@#$%
^&*()_-+={}|[]\:";'<>?,./
prefix=""
suffix=""
Look closely at the
data setting in both cases and you'll see the first is
gentoo.org while the second is
gentoo.orgnullnull. The data setting is the concatenation of the URL + username + modifier. By default, username and modifier are empty in the tree cells but null in the RDF. The difference between the two is subtle; empty means
the empty string ("") while
null is a special value. If you're familiar with databases, you're probably familiar with this concept.
In PasswordMaker, the GUI components generate passwords from settings in the accounts tree. To make the GUI user-friendly, I have it replace null values with the empty string. That way, you don't see the word
null in the accounts tree.
But the non-GUI components of PasswordMaker (auto-populate when a page loads, CoolKey, and context-menu clicks) use the RDF to generate passwords -- not the accounts tree GUI. It is in the code which reads RDF values for password generation that
null is used instead of the empty string.
Does that explain it? By the way, the Master Password Confirmation Hash isn't a bad idea, but seeing this is a real bug, I'm not sure its necessary.
edit: Moved to the bugs forum since this is a legitimite bug.
