Author Topic: Question - Username used in Password calculation?  (Read 8482 times)

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Question - Username used in Password calculation?
« on: August 25, 2005, 03:59:08 PM »
Eric,

I seem to recall you saying something to the effect that the contents of the username field is actually already prepended to the calculated URL that is used for calculating the password. If so, this is not obvious, but should be.

If this is the case, then consider this my request that:

Anywhere the 'Using URL' or 'Calculated URL' is displayed, it should include/show *everything* that is being used to calculate the password - usernames, URL components, etc.

Thanks

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Question - Username used in Password calculation?
« Reply #1 on: August 25, 2005, 04:18:07 PM »
Hi Charles, how about I answer this as a FAQ question and place it in the Help Manual (which Romeo has almost finished)?

I will document the precise formula used to calculate passwords. Would that be satisfactory?

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Question - Username used in Password calculation?
« Reply #2 on: August 25, 2005, 04:25:41 PM »
Well, that depends...

If you are simply going to document that it is using the username but not showing that in the 'Using URL' display, then I would argue...

Either have the 'Using URL' show *exactly* what is being used, or don't show it at all.

Offline Romeo

  • Hero Member
  • *****
  • Posts: 561
Question - Username used in Password calculation?
« Reply #3 on: August 25, 2005, 04:48:38 PM »
I have to chime in here, too.  Charles, to be precise, the counter would have to be displayed, as well.  However, I think that would be a monstrously long dtring, which I would argue could detroy the aesthetics of the layout.  Furthermore, It clearly states 'Using URL'.

Then, how about the l33t being applied before the password is being generated.  Would we want to display the input string after, or before l33t is applied ?

Needless to say, I am not in favor of doing it this way, either.  Documenting the method in the help, as well as the FAQ section should be plenty.  May be we could create a little sample script in these sections to show how the hash input is being put together.
It is impossible to create a fool-proof system, because fools are ingenious.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Question - Username used in Password calculation?
« Reply #4 on: August 25, 2005, 09:40:56 PM »
Well... ok, Romeo, I see your points, but I don't use l33t and haven't had to use the counter yet, so can't speak for how ugly that could become. I still think that the Username field is one that should be included in the displayed 'Using URL'. It is, in fact being appended directly to the URL. I am using this to manage passwords for many users at certain domains, so I append the users username to the URL, like so:

[email protected]

This allows me to create different passwords for each user on the same domain on the fly. I would like visual confirmation that I didn't have an extra space or something in  there when doing this.

Eric - I'm assuming (ooops, look out!) that it shouldn't be hard to display this info since it is already there, so how about another 'Global Settings' option: 'Display the full URL text being used to generate the password'? Or maybe even a way to choose which of the components are displayed?

Look, this isn't a huge issue for me - I just really like visual confirmation of things. Also, I guess maybe I'm still a little bit untrusting - I keep expecting PM to mysteriously stop working and suddenly lose access to everything that I have converted over to it. Believe it or not I actually had a dream that this happened - guess I've been working too hard... ;)

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Question - Username used in Password calculation?
« Reply #5 on: August 26, 2005, 12:51:44 AM »
I can add this as a button which pops up a small dialog box reading something like this, or as tooltip-text, or a large tooltip-balloon or something...

password = prefix +  mpw + usingURL + username + counter + suffix

where the variables to the right of the equals sign contain the current settings in use. l33t settings, charset, hash algorithm, etc. would not be shown--unless you want them for some reason.

Would that work? If you want this everywhere UsingURL is displayed (i.e., Account Settings dialog and Advanced Settings Dialog), I'd rather not do a button... I'd rather do some sort of balloon tooltip or something less obtrusive.

thoughts?

Offline Romeo

  • Hero Member
  • *****
  • Posts: 561
Question - Username used in Password calculation?
« Reply #6 on: August 26, 2005, 01:39:51 AM »
Eric, the eternal diplomat.  I agree, this sounds like a good solution.  Of course, when you say  
Code: [Select]
prefix + mpw + usingURL + username + counter + suffixyou are talking about the actual parameters here, correct ?  If nothing is there, the variable just wouldn't show, right ?

In other words, 1234 + passwordmaker.org + eyoung + CX correct, or whatever actual params.
It is impossible to create a fool-proof system, because fools are ingenious.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Question - Username used in Password calculation?
« Reply #7 on: August 26, 2005, 02:30:46 AM »
Yep. For example, if you've only defined Url To Use and master password, it would read:

password = foobar + gmail.org

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Question - Username used in Password calculation?
« Reply #8 on: August 26, 2005, 12:04:39 PM »
Ok, now that I see the code, I'm at least more comfortable knowing...

Yes, a tooltip I think makes the most sense - less obtrusive, but easy to activate... but...

Maybe you could have it displayed in full *only* on the Master Password Dialog without requiring the tooltip? Or, as I suggested, make this an option that the user can enable at will in the Global Settings:

[] Display Full 'Using URL' string in Master Password Dialog

?
Thanks again for listening to me quibble about inconsequentials... :)

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Question - Username used in Password calculation?
« Reply #9 on: August 26, 2005, 12:58:23 PM »
Quote
Maybe you could have it displayed in full *only* on the Master Password Dialog without requiring the tooltip? Or, as I suggested, make this an option that the user can enable at will in the Global Setting
OK, I can't put it in the Using URL field. It will mess things up. I can, however, add another field underneath it:

Formula: password = foobar + gmail.org

which can be turned on/off with a global setting. How does that sound?

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Question - Username used in Password calculation?
« Reply #10 on: August 26, 2005, 01:02:02 PM »
purrrfect!

you da man!

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Question - Username used in Password calculation?
« Reply #11 on: August 28, 2005, 10:48:48 PM »
I've added this question and answer to the FAQ.

Quote
new!  How are the account-settings I choose (e.g., username, counter, characters, l33t, prefix, suffix, etc.) applied? In other words, what is the exact algorithm used to generate passwords?

If you've selected a non-HMAC hash function (those without the HMAC prefix), passwords are generated using the following pseudocode:

password = mp + usingURL + username + counter
password = leet(password, leetlevel)   [optional]
password = hash(password, charset)
password = leet(password, leetlevel)   [optional]
password = prefix + password + suffix
password = truncate(password, length)

If you've selected an HMAC hash function (those with the HMAC prefix), passwords are generated using the following pseudocode:

data = usingURL + username + counter
mp = leet(mp, leetlevel)   [optional]
data = leet(data, leetlevel)   [optional]
password = hmac_hash(mp, data, charset)
password = leet(password, leetlevel)   [optional]
password = prefix + password + suffix
truncate(password, length)

where + is the concatenation operator. mp is the master password, usingURL is the value in "Using URL", and username, counter, prefix, and suffix are optional settings specified in the Account Settings dialog. For HMAC hash functions, mp is the secret key and data is the input text.

Does this help?
-Eric

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Question - Username used in Password calculation?
« Reply #12 on: August 28, 2005, 11:16:13 PM »
Yes... thanks...

After you explained it, and I had time to think about it, I came up with my 'Modifiable Username Prompt' as a substitute for the request to create the UTL-Prefix field. Have you had a chance to look at this? It should be much simpler to implement than what I was originally requesting, and will pretty much do everything I wanted in the first place.

PasswordMaker Forums

Question - Username used in Password calculation?
« Reply #12 on: August 28, 2005, 11:16:13 PM »