CANCEL at Master password prompt still populates

[nikgrc]

Have a nice year 2008 to all of you!

Having a little more free time these days i install PasswordMaker 1.7.1 on Firefox 2.0.0.11.
Just for testing, i create 2 advanced accounts for the same domain as next:
- All use the same Master Password but "I use more than one master password" option is checked.
- A Group created with 2 accounts.
- "Use the following text to calculate the generated password" as the full path of loging address (diferent for each account).
- "Activate auto-porulation when the URL of a webpage matches any of the following patterns" the same full path as above.
- At "Advanced Auto-Populate" two fields for each account (username, password(hidden)).
- Store Master password = Not at All.
- I have never use Firefox's internal password manager (disabled and empty).

All working as expected... 
- for both accounts, if i open the loging address, a Master password prompt shown:
--------------
A password is being generated, but the master password has not been stored in memory or on disk.
Please enter it now or click cancel.
Account for which the password is being generated:
<correct account name according to the page>
Master pasword <empty field>
Store master password = Not at all
--------------
- If i type a wrong master password it prompts "The master password is not correct" 
- If i type the correct password it populates the fields correct. 
... except...
- IF i press "cancel" button, it still populates the fields correct!!!!! 

what am i doing wrong?

Thank you

[tanstaafl]

- If i type a wrong master password it prompts "The master password is not correct" 
- If i type the correct password it populates the fields correct. 
... except...
- IF i press "cancel" button, it still populates the fields correct!!!!! 

It doesn't do this for me...

But... if I do things in the same order you describe, the correct username/passwords are already on the form, and if I click CANCEL, they REMAIN in the fields...

I do think there are two minor issues here...

1. If I initiate the Master Password Prompt, then simply click CANCEL, it currently POPULATES THE USERNAME... in my opinion, it should never do this.

2. It should CLEAR the fields if cancel is clicked...

Its not really a big deal, but this would be more secure imo...

[nikgrc]

Thank you for your quick reply. I am happy that you reproduce the problem.

In my opinion, fields should never populated, even more passwords should never been calculated, before master password inserted.

And here is the major issue. How real password calculated without master password?
I have several times clear firefox's cache and cookies and a few times i had restart firefox, but real password calculated and populated all the time.

That's why, at first, i believe that i was doing something wrong.

[tanstaafl]

Thank you for your quick reply. I am happy that you reproduce the problem.

did you read my first line? I was NOT able to reproduce your problem.

In my opinion, fields should never populated, even more passwords should never been calculated, before master password inserted.

Mine DOESN'T insert a password without a Msster Password being entered.

And here is the major issue. How real password calculated without master password?

As far as I can see, it ISN'T.

As I said, if I reproduce your steps EXACTLY, the correct password is ALREADY POPULATED from the previous step. The only problem I saw was that it really should have CLEARED this field if you click CANCEL... but I guarantee you if you enter the wrong Master Password, the password generated and entered is NOT the correct password...

I have several times clear firefox's cache and cookies and a few times i had restart firefox, but real password calculated and populated all the time.

That's why, at first, i believe that i was doing something wrong.

I believe you are definitely doing something wrong - or simply not realizing how it is working.

Go back and re-read my first reply...

[nikgrc]

Sorry for "problem reproduce" misunderstanding.

I believe you are definitely doing something wrong - or simply not realizing how it is working.

I really want to realize how it is working, so i start searching and reading from the begining and i found it! 

Reading FAQ "I want PasswordMaker to automatically populate webpage forms for me, but I don't want to change my password on some sites. Is PasswordMaker still a good choice?", i thought that setting a password field in adv.autopopulate tab, PWM will require master password to populate it.
This is wrong and the answer is here:

"How to make PWM save a custom password": http://forums.passwordmaker.org/index.php/topic,363.msg1279028.html#msg1279028

...You can browse to the page where the password has to be entered, then populate the password field.
This can be done without the master password, because it is not required to populate the password field...

I follow this post's steps and all working as expected now. 

I know that "the point of passwordmaker is to generate passwords on the fly" but if one really want to save a custom password it has to be done with secure.

Thank you

[tanstaafl]

Hmmm... thinking about it, I think there's only one way to solve it 'the right way'... it would require saving the Master Password Hash for any account that was going to save the password here.

Eric? Should this be made a FR? To force the user to save the MPW Hash before they can save the password in the Advanced Auto-Pop tab? This is the only way I can think of to keep it from populating the field without having to enter a correct MPW...

[paxunix]

I can reproduce this:

1.  In passwordmaker, add a new account
2.  In the URLs tab, add a pattern that matches the URL for the login page for that account
3.  Do NOT check the autopopulate checkbox
4.  In the Advanced Autopopulate tab, add an entry for the custom password (NOTan autogenerated one) for the login page

Hitting the coolkey on the login page in a new window brings up my prompt for master password; if I hit Escape or click Cancel, the password field is populated with my custom password for that account.  Also, if I just reload the page, the password field is populated.  Is it supposed to work that way even if I don't have the autopopulate box checked?  I only ever want my password to be populated (whether it's a custom password or a generated password) when I hit the coolkey.

[Eric H. Jung]

Are you sure it's not Firefox populating the password field? If you asked firefox to save your credentials, it will do that next time you visit.

[tanstaafl]

Right... I think its FFox doing the populating...

Eric - did you ever look into the two issues this question brought up?

1. Username field IS populated if CANCEL is clicked without entering Master Password

(PWM should CLEAR all fields if CANCEL is clicked)

and

2. MPW is NOT required for passwords that are saved in 'Advanced Auto-Populate'

(PWM should require the MPW hash to be saved, and require the MPW to be entered and match the hash before a saved password is populated)

[paxunix]

Are you sure it's not Firefox populating the password field? If you asked firefox to save your credentials, it will do that next time you visit.

I am certain it is not Firefox populating the password field.  I have that option disabled (and even went back and toggled on and back off to be sure).  Also tried a clean FF profile with only the Passwordmaker addon installed, imported my passwordmaker.rdf settings from my default profile and saw the same behavior I described above.

[tanstaafl]

I just noticed this (sorry for not reading more closely before):

- At "Advanced Auto-Populate" two fields for each account (username, password(hidden)).

If you save the passwords in the special 'Advanced Auto-populate' fields, then these will always populate REGARDLESS of what you enter into the Master Password.

I seem to recall Eric saying there was a reason for this being hard to fix - I think the proposed solution was to only allow saving these special fields if you also save the MPW hash for that account...

Eric?