PasswordMaker Forums
Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension => Bugs => Topic started by: Jim on December 09, 2005, 06:45:20 PM
-
I have version 1.3.3 running on a Windows 2000 machine and Firefox 1.5. I seem to have the same problem discussed in an earlier dialog -- the password generated and entered into the password field does not match the one showing in the "Generated Password" field when you open PasswordMaker. I tried deleting the passwordmaker.rdf file as suggested in that earlier dialog, and it makes no difference.
I have nothing other than the default settings (no account groups) and have not changed any default, other than the one that allows the password to be seen in the web page. The password in the passwordmaker application is CNdx<8lo but the one that gets pasted into the web page when using the context menu is BxGQ^`q8
-
What is the website URL?
-
roxio.com
-
Hi Jim, Read through this topic: http://forums.passwordmaker.org/index.php?showtopic=461 (http://forums.passwordmaker.org/index.php?showtopic=461)
I suspect it is related to your situation. It specifically discusses setting up accounts, but you can have the same problem using Defaults.
Let us know if this is of any help.
quixin
-
Jim,
www.roxio.com doesn't contain a login...
What is the URL of the LOGIN page?
-
The URL of the login page is https://www.roxio.com/en/jhtml/registration....id%3Dtoast_7_t (https://www.roxio.com/en/jhtml/registration/login.jhtml?returnPage=http%3A%2F%2Fboards%2Esupport%2Eroxio%2Ecom%2Froxio%3FTARGET%5FURL%3Dhttp%3A%2F%2Fboards.support.roxio.com%2Froxio%2Fboard%3Fboard.id%3Dtoast_7_t)
According to the PasswordMaker dialog box the URL being used is "roxio.com". The password generated is "CNdx<8lo". But the one populated into the actual web page using the context menu is "BxGQ^`q8".
I am using default settings, the master password is stored in memory. Also I am on a different machine now -- yesterday was a PC at the office, today I am at a Mac at home. Both running Firefox 1.5. The two sets of passwords are the same on both machines, though.
I don't think the entry referenced above to the credit union situation applies here, but maybe I missed something.
-
I believe the primary reason users get different passwords its caused by the login page URL and the registration page or change password page using a slightly different URL to generate the password.
Try logging in and navagate to the "Change Password" page. Note the URL on that page and instead of having PasswordMaker populate the new password field, paste in the password that populates to the login page.
-
Jim,
Do you have any custom accounts defined? When the password is populated, is the ring icon in the status bar vertical or slanted?
-
I do have ONE custom account defined for Verizon Wireless. I think the only thing it does other than the defaults is to use the alpanumeric-only character set for the password.
Let me describe the problem more clearly, since there may be some confusion. I just tried it again. I went to the Passwordmaker forums registration page, and also opened up Passwordmaker to the advanced options. I entered my master password. The "Using URL field on the passwordmaker advanced options panel says "passwordmaker.org". Then I went to the enter password field on the passwordmaker registration page -- I used the context menu choosing "Populate with PasswordMaker". The password populated into the field is DIFFERENT from the one shown in the PasswordMaker advanced options panel. You can see what I am seeing by looking at this photo:
http://jimackermann.smugmug.com/photos/47783014-L.jpg (http://jimackermann.smugmug.com/photos/47783014-L.jpg)
(the resolution is not the greatest but you should be able to tell that the passwords are different. You can get to the full sized file by going here: http://jimackermann.smugmug.com/gallery/1030381/1/47783014 (http://jimackermann.smugmug.com/gallery/1030381/1/47783014)
and clicking on "original" in the list labeled "Other sizes" below the picture.)
I hope this helps describe the problem. Also, I tried clicking on the button to copy the password onto the clipboard, then I pasted the password into a notepad. The password pasted is the one in the advanced options panel, NOT the one obtained using the context menu. (That is how I bumped into the problem in the first place -- I went to change my password at another web site, and rather than use the context menu, I copied the password from the advanced options panel and pasted it into the web page's "new password" field. I also pasted it into a notepad. When I then logged out of the site and tried to log back in, I populated the password field with the context menu -- and the login failed. But when I copied and pasted the password from my notepad where I had saved it, it worked.)
Oh, and I have never noticed the ring being anything other than horizontal.
-
I also experience this same problem on various sites. Including Drupal-powered sites.
Robin
-
I'm looking into this further and will reply back shortly.
-
Hi,
I think I understand what's going on. Here's what I did to try to reproduce the bug or problem or whatever it is (it might just be a misunderstanding of how to use the extension).
1. Created new profile and installed passwordmaker. Didn't create any custom accounts.
2. Went to the register page of forums.passwordmaker.org
3. Opened passwordmaker advanced settings and typed a master password.
4. Checked Global Settings->Show all passwords on web pages as clear text. Note that I left "Do not store master password" as the master password storage setting. I did not change any other settings, nor did I close the PasswordMaker dialog.
5. Right-clicked on the password field on the registration page and selected PasswordMaker->Populate With PasswordMaker. At this point, I'm presented with the following prompt:
(http://img485.imageshack.us/img485/2545/capture1213200590413pm9mw.th.jpg) (http://img485.imageshack.us/my.php?image=capture1213200590413pm9mw.jpg)
If I enter the exact same master password as entered in step 3, the generated passwords are the same. If I enter a different password, the generated passwords are different. Are you certain you entered the same MPW both times? From my perspective as one of the core PasswordMaker developers, this is how it should work--but maybe you were expecting something else? Perhaps my vision is clouded by working too closely with this extension :)
If you don't see this image (http://img485.imageshack.us/img485/2545/capture1213200590413pm9mw.jpg), please let me know. That means you've selected a different master password storage setting than me, and I'm not testing the same thing as you...
Thank you for your time in helping debug this,
Eric
-
Hi Eric,
I've been giving this some thought, because of the number of problems this causes with new users (and hey, I've been bitten by it a couple of times too)...
I have an idea on how it night be handled, but I may be missing something that would make this a bad idea...
Since it is impossible (?) to reverse engineer the Master Password from a hash, why not do the following:
Create a new function called 'Master Password Confirmation Hash'
When this function is called, PWM uses very secure, randomized Account Settings (randomize the Character Set, randomize the password length from 12-20, etc, which would result in a different hash each time) to generate a password which is then hashed and stored - along with the Settings used to generate it - in encrypted form on disk (or, optionally, only in memory).
Once this hash has been generated, have a little red/green light show up in the Master Password Prompt window, that shows red when the Master Password is not the same as the one that generated the Master Password Confirmation Hash, and green when it is the same.
What do you think?
-
Eric,
I went through the exact same procedure you did -- created a new profile, installed PasswordMaker, etc. I made very sure that I changed no settings other than the one that shows passswords on web pages as clear text. Entered my Master Password into the advanced settings. I left the "Do not store master password" as the password storage setting.
Then I right-clicked on the passwordmaker forum registration page's password field and selected "Populate with Passwordmaker". I got the dialog box you show. I entered my Master Password.
I got a different password on the web page from the one showing in the advanced options settings.
I am absolutely certain that I changed no other settings for PasswordMaker. I am also dead certain that I entered the same master password -- it's the same password that I use as my Firefox master password, and for the keychain on my Mac at home. I may "fat finger" it on rare occasion, but certainly not this many times and not this consistently!
-
Jim,
I've reproduced the bug. Thanks for being persistent. I'll have a fix shortly.
Regards,
Eric
-
Details? Is this someting that will affect all of us, or was it unique to only certain sites?
-
Hi,
Details? Is this someting that will affect all of us, or was it unique to only certain sites?
It affects all sites. The problem has to do with empty/null values for certain account settings. The best way to describe the problem is through an example.
Go here (http://forums.gentoo.org/profile.php?mode=register&agreed=true) to register for a new account on the Gentoo forums. Don't change PasswordMaker in any way except to use the master password 123. The Advanced Options dialog uses the following settings:
hashAlgorithm=md5
key=123
data=gentoo.org
whereToUseL33t=off
l33tLevel=1
passwordLength=8
charset=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`~!@#$%
^&*()_-+={}|[]\:";'<>?,./
prefix=""
suffix=""
This generates the password D_WMNrV[
Now right-click on the password field on the webpage and select PasswordMaker->Populate With PasswordMaker. When prompted for the master password, again enter 123. Go to PasswordMaker's Global Settings tab and check Show all passwords on web pages as clear text. Now look at the password field which was previously asterisks. You'll see DEk~eO?e. The settings used this time were:
hashAlgorithm=md5
key=123
data=gentoo.orgnullnull
whereToUseL33t=off
l33tLevel=1
passwordLength=8
charset=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`~!@#$%
^&*()_-+={}|[]\:";'<>?,./
prefix=""
suffix=""
Look closely at the data setting in both cases and you'll see the first is gentoo.org while the second is gentoo.orgnullnull. The data setting is the concatenation of the URL + username + modifier. By default, username and modifier are empty in the tree cells but null in the RDF. The difference between the two is subtle; empty means the empty string ("") while null is a special value. If you're familiar with databases, you're probably familiar with this concept.
In PasswordMaker, the GUI components generate passwords from settings in the accounts tree. To make the GUI user-friendly, I have it replace null values with the empty string. That way, you don't see the word null in the accounts tree.
But the non-GUI components of PasswordMaker (auto-populate when a page loads, CoolKey, and context-menu clicks) use the RDF to generate passwords -- not the accounts tree GUI. It is in the code which reads RDF values for password generation that null is used instead of the empty string.
Does that explain it? By the way, the Master Password Confirmation Hash isn't a bad idea, but seeing this is a real bug, I'm not sure its necessary.
edit: Moved to the bugs forum since this is a legitimite bug.
-
Does this affect accounts?
-
Unclear. That's why I'd like everyone to try it and let me know (http://forums.passwordmaker.org/index.php?showtopic=636).
-
Doesn't seem to affect accounts, only default settings, which I don't use.