Author Topic: don't auto-populate username if MPW not entered correctly (Read 32087 times)

Romeo · « **on:** September 27, 2005, 11:50:41 PM »

Boy, all the things that happen on my way home. I left work and my post was the last one. I came home and a bunch of new posts have been added.

Eric, you asked about my request for hiding the account tree. I guess that is not so imortant. However, I think it would be a good idea to not have PM enter the username, when the password is not supplied correctly. In other words, one could use the MPW to hash the username and when someone, who doesn't know the MPW goes to a web site, PWM just enters the username un-hashed with the incorrect password.

In other words, when PWM stores the username, it stores it hashed / encrypted with the MPW. I hope that this explanation makes sense to you and I do not think that this is a very special request, as it 'decurifies ' :) PWM that much more.

quixin · « **Reply #1 on:** September 28, 2005, 12:03:17 AM »

Quote

However, I think it would be a good idea to not have PM enter the username, when the password is not supplied correctly.

Seconded.

Eric H. Jung · « **Reply #2 on:** September 28, 2005, 12:11:47 AM »

Excellent idea. I've split this into its own topic since it wasn't really related to the topic in which it was originally posted.

Tyrantmizar, can you add this to the FRL? It should be implemented quickly because it is a security risk, IMHO.

-Eric

Romeo · « **Reply #3 on:** September 28, 2005, 12:18:44 AM »

This is actually a new 'request', because I had pointed that out somewhere else before. I gues it was somethime after the username population feature was added.

Tyrantmizar · « **Reply #4 on:** September 28, 2005, 12:19:21 AM »

Quote

It should be implemented quickly because it is a security risk, IMHO.

O_o How the heck is the current system a security risk? If you're worried about someone figuring out your username, I doubt this is the way to do it. Personally, I think it would be a bigger security risk to store the MPW to disk, in any form. Why would you password-protect the username, something anyone can view by hitting Ctrl` by the way, with the MPW, possibly the most crucial part of the ecryption sequence (the url and character set are the close second and third)!?!

Someone please explain to me how this adds security!?!

Eric H. Jung · « **Reply #5 on:** September 28, 2005, 06:13:17 PM »

I wasn't going to encrypt the username (as Romeo had suggested). I was only going to prevent username auto-population if you couldn't enter the MPW successfully. However, you are correct--anyone can view this info by bringing up the PasswordMaker dialog. This circles back to Romeo's original idea, which was to hide the entire accounts tab unless/until one could enter the master password.

That's probably the best -- and most appropriate -- solution.

Romeo · « **Reply #6 on:** September 28, 2005, 06:42:41 PM »

Eric, that is correct and come to think of it, if you were to encrypt the username, someone could just try a bunch of MPWs until the output makes sense, unless someone were to use hyroglyphic (sic) usernames. So, I am not sure what the solution would be, because I am completely opposed to storing the MPW on disk.

The only way I could see all this working, is by using an encrypted hash of MPW and 'master' username as a key to store the user's PM record in the RDF file, which would also take care of hiding the account settings.

tanstaafl · « **Reply #7 on:** September 28, 2005, 07:23:53 PM »

This is just off the top of my head, but why hide only the Accounts Tab? Why not prevent the User from entering the Advanced Settings completely without entering the MPW?

Romeo · « **Reply #8 on:** September 28, 2005, 07:39:25 PM »

Tanstaafl, we are talking about hiding the entire account tree. In other words, when you first open PM, the user will only see the default settings. Only when the correct MPW and master username are supplied, will the settings become visible.

edit: The settings, as you would see them after you do a clean install.

tanstaafl · « **Reply #9 on:** September 28, 2005, 07:54:32 PM »

Ah.. ok - but what is this 'Master Username'? Is this the USername defined under the 'Defaults' settings?

Romeo · « **Reply #10 on:** September 28, 2005, 08:27:47 PM »

Quote

Ah.. ok - but what is this 'Master Username'? Is this the USername defined under the 'Defaults' settings?

No, this master username would be similar to the master password, which the user would supply when the MPW is supplied.

tanstaafl · « **Reply #11 on:** September 28, 2005, 08:44:50 PM »

Are we getting into the realm of PM 'Profiles' (User Settings Profiles)?

Tyrantmizar · « **Reply #12 on:** September 28, 2005, 09:13:32 PM »

OK I'll add it as "Hide the username unless MPW entered correctly."

Which brings me to a question: This is only going to be effective if the MPW is saved to disk, right?

Romeo · « **Reply #13 on:** September 28, 2005, 09:24:21 PM »

From my earlier post:

Quote

The only way I could see all this working, is by using an encrypted hash of MPW and 'master' username as a key to store the user's PM record in the RDF file, which would also take care of hiding the account settings.

I am probably thinking in terms of databases, when I say the above, because I do not know enough about encryption, but I could see how the profile record for PWM gets ebcrypted with the MPW and the master username being the key.

edit: So, in other words, if you look at the rdf file, you just see a bunch of encryption jibberish, more like displaying a binary file.

Miquel 'Fire' Burns · « **Reply #14 on:** September 29, 2005, 01:43:42 AM »

I say to use a feature like this, store the MPW in a one way hash, resulting in another 'field' for the master password in the rdf file.

PasswordMaker Forums · « **Reply #14 on:** September 29, 2005, 01:43:42 AM »

Author Topic: don't auto-populate username if MPW not entered correctly (Read 32087 times)

PasswordMaker Forums