Author Topic: PWM changed all my passwords  (Read 7137 times)

Clint Chamberlin

  • Guest
PWM changed all my passwords
« on: November 05, 2005, 01:51:56 AM »
Eric has asked that I post my unusual problem, as he is temporarily stumped.

My worst nightmare. Every single PW has been changed in PWM except the ones where I defined them using a PREFIX. I started using PWM yesterday with V1.3.1 using FF.  I only used the advanced account settings, and incorporate the user name in PW. However, I did not utilize the "Use this URL" box, and I am somewhat suspicious that his contributed. More on that later.

I created over 20 advanced accounts where I changed the default character string for some, and left it alone for others where special characers were OK. After each PW assignment, I reopened the site and verified that PWM  was using correct PW.

I then exported the file to my laptop, and verified a few as generating the correct PW.  I exported the Master PW as well, so it was exactly the same, but I verified it again.

I rebooted both Desktop and laptop, and that is when all hell broke loose. All but 2 of the PW's on the desktop are different and incorrect. All of the PW's (except those entered with the PREFIX) on the laptop are

+++++DIFFERENT than the DESKTOP, and incorrect.+++++

The only observation I made was that on 2 of the sites where is DID utilize the "Use this URL" box, the PW's remained correct on the Desktop. Since I only did that for 2 or 3 sites, it isn't  a strong point, but may help some of you out there.

I am suspicious of that using the username box, combined with NOT using   the "use this URL" is the "problem, as I saw some strange things when I used it. First, the PW's were all the  same when same user name was used, but on different sites, but again, I did not use the "use this URL.  Then later, probably after a reboot, I noticed that a different PW was being assigned on a new site using same ID, still not using the "use URL".  However, even the sites where I DID use the "use URL" are wrong on the laptop.

Although I did allow 1.3.2 upgrade on desktop today, problem stared
 before upgrade, and I have not upgraded laptop.

I am running XP SP2 with all the latest updates, virus, and spyware. None are reporting problems. I also use a Host file that blocks bad sites, but PWM should not be using DNS or IP's.

I have spent the whole day requesting new PW's at all my sites since I did not have copies of the PWM generated sites.

+++I suggest EVERYONE paste them into a text file for a few days until you are very sure PWM is working. +++

HELP!
Clint

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
PWM changed all my passwords
« Reply #1 on: November 05, 2005, 03:50:06 AM »
Quote
Eric has asked that I post my unusual problem, as he is temporarily stumped.
Hi Clint,

First, I will say that I have been using PWM since version 0.5.1, and the only cases I have ever heard of like this were:

1. a change Eric made that he knew would break passwords for some people, but the change needed to be made and he was very forthright about it,

2. a bug where the default character set for the online version and the extension were slightly different (missing one of the / (slashes).

3. new users who started using PWM without fully understanding how it works.

Please, no offense is intended, but I am fairly confident that your problems will fall into the 3rd category.

Quote
My worst nightmare. Every single PW has been changed in PWM except the ones where I defined them using a PREFIX. I started using PWM yesterday with V1.3.1 using FF. I only used the advanced account settings, and incorporate the user name in PW. However, I did not utilize the "Use this URL" box, and I am somewhat suspicious that his contributed. More on that later.
Most likely you are correct... the 'Using URL' is a big part of using PWM. Yes, you can create an account without putting anything in the fields, but why would you? Maybe Eric should make these fields mandatory?

Clint, the fact that you state that you first started with 1.3.1, yesterday makes it clear this is simply a problem of not fully understanding how PWM works. Think carefully. I think your problem will become apparent...

How did you generate the passwords when you changed them at the sites in question? ie, did you use the 'right-click > populate with passwordmaker'? Or did you open passwordmaker, select the account enter you master password, then copy to the clipboard and paste into the site?

There are many different factors that go into the generation of passwords, and *how* you create them matters greatly.

I am quite sure that once you really get a feel for how PWM works, what you did wrong will become apparent. Consider this:

Quote
I am suspicious of that using the username box, combined with NOT using the "use this URL" is the "problem, as I saw some strange things when I used it. First, the PW's were all the same when same user name was used, but on different sites, but again, I did not use the "use this URL. Then later, probably after a reboot, I noticed that a different PW was being assigned on a new site using same ID, still not using the "use URL". However, even the sites where I DID use the "use URL" are wrong on the laptop.
Of course the passwords would be the same for accounts that didn't use a URL and used the same username and character set. That is expected behavior.

From your description of your problems, I'm sure your problem has to do with the URL used when you actually *changed* the password at the site in question, and the URL used (or *not* used) when you generate the password to log in.

Lastly, hopefully you understand now that PWM is not somethng that you can just install and use without thinking.

Now, if you'll take a few deep breaths, step back, read the PWM docs 2 or 3 times (yes, PWM is complex enough that once may not be enough, but it is *well* worth the effort needed to master it), experiment for a while with one or two accounts until you get the hang of it - and of course feeling free to ask any and all questions you might have here in the forums - then I'm confident you'll realize with a big bang where you went wrong and this thread will serve to help others who might make the same mistake(s).

Best regards, and for what its worth - welcome to the world of PasswordMaker, the most awesome program on the net bar none! :)

Charles

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
PWM changed all my passwords
« Reply #2 on: November 05, 2005, 04:20:51 AM »
Hello Clint,

Thanks for bringing the problem to the forums. As I said, others might come out to try to help. Tanstaafl has some great advice. Reading his post, this jumped out at me:

Quote
From your description of your problems, I'm sure your problem has to do with the URL used when you actually *changed* the password at the site in question, and the URL used (or *not* used) when you generate the password to log in.

When you were changing passwords on websites, can you tell us from where you got this password? Did you use right-mouse click? Had you already defined the custom accounts, or did that come later?

Also, if you're willing to send me the passwordmaker.rdf files from both PCs, that might help (although it's unlikely).

We will work with you until the problem is resolved!

Regards,
Eric

Clint Chamberlin

  • Guest
PWM changed all my passwords
« Reply #3 on: November 05, 2005, 02:37:16 PM »
I understand where you might think that I jumped into PWM without understanding, but this is simply not true. Changing Passwords is a very big deal to me, so before using PWM, I read every msg on the Help support forum, and read the manual and FAQ several times. I believe I understand how it works fairly well, but I certainly hope someone can point out where I have not understood and followed instructions.

However, no where does it say that I must/should populate the box: "Use this URL". The inference that I got was that the box: When "this URL contains" allows a more general use of whatever variations a web site might use in it's address. This box was always populated by pasting the string found in the default box when I was at the web site.

The use of "this URL contains" box is how PWM correctly populated the PW's at each and every site, so I do understand that one of these 2 boxes must be filled in in order for the program to work.

My method for creating the PW's was as follows:
1. Go to the site of interest
2. Create the entry for the web site under select account
3. copy/paste the USING URL box from the default section into the select account "When this URL contains"
4. Right click on the PW box on the site and use the Populate on the screen at the web site where the change PW was being requested.
5. Close the site, and then go back and verify. Since I always chose the auto-fill feature, I did not need any right clicks.

While may have errored by not using the "Use this URL", it is hard to understand why the imported file on my laptop would differ from the Desktop, regardless of what mistakes I may have made. And it does not explain why the correct PW's were inserted both on desktop and laptop before the reboot(if that was in fact what contrtibuted  the change).

The only other thing I can think of is that the act of pasting both the URL and my user name somehow left a trailing space that was dropped later when the program rebooted. I am sure there were no leading spaces.

I will wait for further comments before I consider sending the RDF files.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
PWM changed all my passwords
« Reply #4 on: November 05, 2005, 03:54:36 PM »
Quote
However, no where does it say that I must/should populate the box: "Use this URL".
There has been an ongoing debate about whether or not the GUI should force users to enter this value. See here and here. In fact, version 0.9 of PasswordMaker introduced this:
Quote
Made AccountSettings->Use This URL mandatory as discussed here. Only new accounts are affected.
But then some complained, so the requirement was removed as of version 1.3.

The bottom line is that if you don't enter anything for Use This URL, then it's quite likely you'll get duplicate passwords for different sites. This is because very often all the other fields for accounts are the same (e.g., username).

Quote
The inference that I got was that the box: When "this URL contains" allows a more general use of whatever variations a web site might use in it's address.
Correct! You could even leverage it so that you have the same password for, say, yahoo email and google email. You can think of those two fields like the following sentence, where you fill in the blanks: When the URL contains the string _________, then use the string _______ for password generation.

Quote
My method for creating the PW's was as follows:
1. Go to the site of interest
2. Create the entry for the web site under select account
3. copy/paste the USING URL box from the default section into the select account "When this URL contains"
4. Right click on the PW box on the site and use the Populate on the screen at the web site where the change PW was being requested.
5. Close the site, and then go back and verify. Since I always chose the auto-fill feature, I did not need any right clicks.
This sounds solid to me. I'd like to hear what Tanstaafl thinks, though, or someone else.

Quote
While may have errored by not using the "Use this URL", it is hard to understand why the imported file on my laptop would differ from the Desktop, regardless of what mistakes I may have made. And it does not explain why the correct PW's were inserted both on desktop and laptop before the reboot(if that was in fact what contrtibuted the change).
Agreed.

Quote
The only other thing I can think of is that the act of pasting both the URL and my user name somehow left a trailing space that was dropped later when the program rebooted. I am sure there were no leading spaces.
This sounds like a possibility, although whatever you enter in those fields is stored in the RDF file. If you open the RDF, you should see if there are trailing spaces for anything.

Quote
I will wait for further comments before I consider sending the RDF files
If you decide to send them, please don't store the master password in the files.

The big question I have for you now is: are you still seeing the same behavior? Do the laptop and desktop exhibit different passwords?

Clint Chamberlin

  • Guest
PWM changed all my passwords
« Reply #5 on: November 05, 2005, 05:16:30 PM »
Now I've got one for the record books. I imported the file that I used to populate my laptop with not changes, and presto: All the desktop PW's are back to original and correct whereever I can verify.  I did look at the respective RDF files before this import for fun, but could not see any differences between old destop and old laptop, but I suspect there are subtle things I would not see.  There are definitely no spaces in the PW or URL.

So this sucess made me wonder about the laptop. I moved the RDF file out of the profile directory, and improrted the same original RDF file as above, and presto: everything is the same as the desktop, and back to original!  I guess I should try a reboot and  anything else you guys may suggest, but I think this demonstrates that there is something amiss and problably not a direct result of something I did.

As a reminder, I saved the master PW with the RDF, so that should not be the cause of all these settings being restored to original.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
PWM changed all my passwords
« Reply #6 on: November 05, 2005, 07:05:07 PM »
You've got me stumped.

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
PWM changed all my passwords
« Reply #7 on: November 05, 2005, 07:18:15 PM »
Quote
Quote
However, no where does it say that I must/should populate the box: "Use this URL".
There has been an ongoing debate about whether or not the GUI should force users to enter this value. In fact, version 0.9 of PasswordMaker introduced this: "Made AccountSettings->Use This URL mandatory as discussed here. Only new accounts are affected." But then some complained, so the requirement was removed as of version 1.3.

The bottom line is that if you don't enter anything for Use This URL, then it's quite likely you'll get duplicate passwords for different sites. This is because very often all the other fields for accounts are the same (e.g., username).
Maybe a trade-off would be to have PWM automatically populate them with the current URL when creating a new Account - but allow the user to change them if so desired.

Clint, my apologies for assuming that you dove in blindly - it appears that you did not...

As for the rest - I'm stumped as well. It sounds like you did everything correctly. The only other thing I can think of is some kind of weird extension conflict - what other extensions are you running - and which version of FFox?

Clint Chamberlin

  • Guest
PWM changed all my passwords
« Reply #8 on: November 05, 2005, 08:10:24 PM »
Using FF 1.0.7 with following extensions:
Dictionary Seach .93
Customize Google .34
IE View 1.2.7 (just updated yesterday, same time as problem, but doubt that's it)
No Script 1.1.3.3
Google ToolBar(direct from Google)
Netcraft Toolbar 1.0.3.3 (This one is suspicious. It appears to cause unexplained crashes while trying to resolve information about some sites. I stopped using it prior to installing PWM, but it is still in the list of extensions (did not uninstall)
Thanks for your interest and support.

Eric,
I tend to agree that maybe a trade-off would be to have PWM automatically populate them with the current URL when creating a new Account - but allow the user to change them if so desired. Saves a copy/paste and is more robust. Who knows...maybe even still the cause of my problem. Thanks for your interest and support.

Clint

Offline ajw

  • Jr. Member
  • **
  • Posts: 81
PWM changed all my passwords
« Reply #9 on: November 06, 2005, 05:00:04 PM »
Quote
Maybe a trade-off would be to have PWM automatically populate them with the current URL when creating a new Account - but allow the user to change them if so desired.
This would be fine - even desirable - for me.  (and I'm the one who complained about *requiring* they be filled in... :)

When I'm creating an account for a new site I'd prefer them auto-filled so it saves me work.

When I create an account for non-site info, PM'll fill the fields with the current site, but I'll just erase that - no problem.

Since most accounts *are* for web sites, that seems like very reasonable behavior to me.

- Al -

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
PWM changed all my passwords
« Reply #10 on: November 06, 2005, 08:21:48 PM »
Sounds like a plan.

PasswordMaker Forums

PWM changed all my passwords
« Reply #10 on: November 06, 2005, 08:21:48 PM »