Author Topic: master password verification  (Read 43356 times)

Offline BHiko

  • Jr. Member
  • **
  • Posts: 11
master password verification
« on: January 28, 2006, 12:49:08 PM »
I would like to have a master password verification feature.

Currently, if I have a wrong master password in mind, I can type the same wrong value both in the master password and verification field and there is no warning. This can be dangerous when I create a new password.

The following feature could solve that:
- create a new store master password level called: in memory & verification on disk.
- store a hash (verification value) of the master password on disk
- ask only for the master password (not for the confirmation)
- verify the master password entered by hashing it and comparing it with the hash value on disk

This would only be unsecure for weak master passwords, where a dictionary or exhaustive search attack would be possible (trying out many possibilities until the same hash is found).
« Last Edit: May 14, 2006, 06:11:01 AM by BHiko »

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
master password verification
« Reply #1 on: January 28, 2006, 03:58:05 PM »
Hi BHiko,

Excellent idea. Tyrantmizar/Tanstaafl, can you add this to the feature request list?

Thanks,
Eric

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
master password verification
« Reply #2 on: January 28, 2006, 04:19:42 PM »
Done...

A quick question though...

This brings to mind a request I thought of a while back that had a similar aspect, but never actually made. It could actually enhance this request.

How hard would t be to add an 'indicator' (red/green light?) on the Master Password Prompt window, as an alternative visual 'Confirmation', for those who save their MPW on disk (the light is red until the MPW that is entered matches what is saved - this saves them from a failed login attempt)?

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
master password verification
« Reply #3 on: January 28, 2006, 04:56:31 PM »
I can do that, but can you make it a separate feature request? It's different enough from BHiko's request that I'd like to keep them separate.

Offline BHiko

  • Jr. Member
  • **
  • Posts: 11
master password verification
« Reply #4 on: January 28, 2006, 06:55:25 PM »
Let me do some extra promotion for the idea.
For the user, this feature would:
  • require to enter the Master Password only once
  • the Master Password would be verified by the system each time you enter it
The magic is that the system does not need to know or store the password to be able to verify it. It uses a one way function to generate a password verification value. This password verfication value is stored on disk. Storing the password verification value on disk is not dangerous: as the name one way function indicates, there is no way to generate the Master Password from the password verification value on disk, it only works the other way round: if the Master Password is known, it can be verified using the password verification value.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
master password verification
« Reply #5 on: January 29, 2006, 09:50:16 PM »
Hi,

Any word on whether or not these two requests have been added to the FRL?

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
master password verification
« Reply #6 on: January 29, 2006, 10:01:19 PM »
You must have missed the 'Done' comment above... ;)

But no, I haven't added my own yet - almost forgot... I'll go do it now...

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
master password verification
« Reply #7 on: January 29, 2006, 10:06:30 PM »
Oops. Yep, missed it.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
master password verification
« Reply #8 on: January 29, 2006, 10:07:56 PM »
Added as:

'Master Password Verification - Visual Indicator'
« Last Edit: January 29, 2006, 10:08:22 PM by tanstaafl »

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
master password verification
« Reply #9 on: May 14, 2006, 02:43:55 AM »
Clarification...

This storing of the MPW hash is on a PER ACCOUNT basis, correct? Meaning, I could have a different MPW for different account types (ie, different one for Financial sites, Discussion forums, etc)?

If this wasn't a part of this request, mind if I add enhance this request, rather than make a separate one?

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
master password verification
« Reply #10 on: May 14, 2006, 04:10:40 AM »
Yes, this is per account.

Offline BHiko

  • Jr. Member
  • **
  • Posts: 11
master password verification
« Reply #11 on: May 14, 2006, 06:16:22 AM »
I think this feature is important because currently, if you mistype the master password, you might not be aware that PasswordMaker generates different passwords, making it impossible to login to a site or - worse - making it impossible to login to a site after entering a 'mistyped' value twice.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
master password verification
« Reply #12 on: May 14, 2006, 04:01:43 PM »
Why is it impossible? Just re-enter the master password! At most, it's inconvenient.
« Last Edit: May 14, 2006, 04:02:10 PM by Eric H. Jung »

Offline thibros

  • Full Member
  • ***
  • Posts: 107
master password verification
« Reply #13 on: May 14, 2006, 08:27:11 PM »
I think what he means BHiko means is if you by chance use PasswordMaster to sign up to a new site with a mistyped master password in memory, and later you don't reconstruct in what way it was mistyped, then you're screwed.

I verify my master password this way, especially on the online forms:
After entering the master password, and the URL field being blank, the generated password is always the same, and I recognize it. Then I enter the additional stuff to generate my password.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
master password verification
« Reply #14 on: May 14, 2006, 09:18:25 PM »
Hi Thibros,

That's exactly how I recognize if I've entered the MPW correctly, too. Apparently, that's not enough for some people. Hence this feature request... which has already been added to the list, so there's not much need to discuss whether or not it's valuable or not. I understand that it is.

PasswordMaker Forums

master password verification
« Reply #14 on: May 14, 2006, 09:18:25 PM »