PasswordMaker Forums
Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension => Feature Requests / Enhancements => Topic started by: BHiko on January 28, 2006, 12:49:08 PM
-
I would like to have a master password verification feature.
Currently, if I have a wrong master password in mind, I can type the same wrong value both in the master password and verification field and there is no warning. This can be dangerous when I create a new password.
The following feature could solve that:
- create a new store master password level called: in memory & verification on disk.
- store a hash (verification value) of the master password on disk
- ask only for the master password (not for the confirmation)
- verify the master password entered by hashing it and comparing it with the hash value on disk
This would only be unsecure for weak master passwords, where a dictionary or exhaustive search attack would be possible (trying out many possibilities until the same hash is found).
-
Hi BHiko,
Excellent idea. Tyrantmizar/Tanstaafl, can you add this to the feature request list?
Thanks,
Eric
-
Done...
A quick question though...
This brings to mind a request I thought of a while back that had a similar aspect, but never actually made. It could actually enhance this request.
How hard would t be to add an 'indicator' (red/green light?) on the Master Password Prompt window, as an alternative visual 'Confirmation', for those who save their MPW on disk (the light is red until the MPW that is entered matches what is saved - this saves them from a failed login attempt)?
-
I can do that, but can you make it a separate feature request? It's different enough from BHiko's request that I'd like to keep them separate.
-
Let me do some extra promotion for the idea.
For the user, this feature would:- require to enter the Master Password only once
- the Master Password would be verified by the system each time you enter it
The magic is that the system does not need to know or store the password to be able to verify it. It uses a one way function to generate a password verification value. This password verfication value is stored on disk. Storing the password verification value on disk is not dangerous: as the name one way function indicates, there is no way to generate the Master Password from the password verification value on disk, it only works the other way round: if the Master Password is known, it can be verified using the password verification value.
-
Hi,
Any word on whether or not these two requests have been added to the FRL?
-
You must have missed the 'Done' comment above... ;)
But no, I haven't added my own yet - almost forgot... I'll go do it now...
-
Oops. Yep, missed it.
-
Added as:
'Master Password Verification - Visual Indicator'
-
Clarification...
This storing of the MPW hash is on a PER ACCOUNT basis, correct? Meaning, I could have a different MPW for different account types (ie, different one for Financial sites, Discussion forums, etc)?
If this wasn't a part of this request, mind if I add enhance this request, rather than make a separate one?
-
Yes, this is per account.
-
I think this feature is important because currently, if you mistype the master password, you might not be aware that PasswordMaker generates different passwords, making it impossible to login to a site or - worse - making it impossible to login to a site after entering a 'mistyped' value twice.
-
Why is it impossible? Just re-enter the master password! At most, it's inconvenient.
-
I think what he means BHiko means is if you by chance use PasswordMaster to sign up to a new site with a mistyped master password in memory, and later you don't reconstruct in what way it was mistyped, then you're screwed.
I verify my master password this way, especially on the online forms:
After entering the master password, and the URL field being blank, the generated password is always the same, and I recognize it. Then I enter the additional stuff to generate my password.
-
Hi Thibros,
That's exactly how I recognize if I've entered the MPW correctly, too. Apparently, that's not enough for some people. Hence this feature request... which has already been added to the list, so there's not much need to discuss whether or not it's valuable or not. I understand that it is.
-
I verify my master password this way, especially on the online forms:
After entering the master password, and the URL field being blank, the generated password is always the same, and I recognize it.
You said "the URL field being blank". It's not blank for me - it's whatever URL my web browser is looking at.
Could you describe a little more precisely what screen you're on, and by what keystrokes you got there?
This sounds like a useful way to verify I've got my master password right, but currently it is inconvenient
for me, as it seems I have to manually clear the URL field. What's worse, I'm not usually even on the
screen that has this "using URL" field to clear it. I'm usually on the Alt-` "Master Password Prompt" screen
that doesn't have a "using URL" field.
I must be missing something.
-
... Hence this feature request... which has already been added to the list, so there's not much need to discuss whether or not it's valuable or not. I understand that it is.
Aha - this discussion led me to another way of meeting this need, that might be easier to code,
and more pleasing to use.
On the Alt-` Master Password Prompt window, display the results of encrypting the empty
string using the entered master password.
Then each time I entered my Master Password, I'd glance at the encryption of the empty
string, to be sure it came up as I expected.
This would really confuse someone looking over my shoulder. They'd see me type one
thing, see a password-like word cycle through variations as I type, and the asterisks in
the actual web form would be hiding an entirely different string, that incorporated the URL.
-
This would really confuse someone looking over my shoulder.
Wouldn't it confuse newbies, too? I'd rather just stick with the original idea. What do you think?
-
huh? i think i'm confused.... :)
-
Ok, this old one was actually a duplicate of the Option to store MPW's hash to disk/memory (http://forums.passwordmaker.org/index.php?showtopic=419) - so marking as such, and migrating votes...
-
Ok, the new 1.7 release fulfills this FR, so am closing it out...
So, the following get one vote back:
Felipe, BHiko, ThePythonicCow, forbin, John Liebson and popmonkey