PasswordMaker Forums

Miscellaneous => Other => Topic started by: pgimeno on December 16, 2005, 06:21:00 PM

Title: Delimiters between fields
Post by: pgimeno on December 16, 2005, 06:21:00 PM
Here's the suggestion regarding usage of delimiters to separate fields. That change would definitely break backward compatibility in all respects and the problem it solves is not that much of an important issue, but here's the discussion anyway.

The fields used for hash generation, namely master password, URL, user name and modifier, are just concatenated in that order to generate the hash. If one wants to separate the fields again after the concatenation, he will need a bit of guesswork and he may be wrong in certain cases. This means indirectly that under certain circumstances, instead of two different passwords the same one would be generated.

An example of such a scenario:

Master password = "PW"
URL = "domain.org"
User = "user"
Modifier = "1"

Concatenation of the above: "PWdomain.orguser1" which will be the sequence used to generate the password.

Now say the same user has a different account within the same domain:

Master password = "PW"
URL = "domain.org"
User = "user1"
Modifier = "" (blank)

Concatenation of the above: "PWdomain.orguser1", the same sequence as above. The password generated would thus be the same.

The solution to this problem is simply to insert a separator between fields. This separator would ideally be a character that the user can't type, e.g. \n (ASCII LF), \0 (ASCII NUL) or even \037 (ASCII US, Unit Separator), such that no interference with what the user types in can happen (if the separator were typable, e.g. "/", then it would be possible to find ambiguous cases again).

-- Pedro Gimeno