Author Topic: Passwords don't Match -- again!  (Read 33640 times)

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Passwords don't Match -- again!
« Reply #15 on: December 14, 2005, 04:44:32 PM »
Details? Is this someting that will affect all of us, or was it unique to only certain sites?

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Passwords don't Match -- again!
« Reply #16 on: December 14, 2005, 09:12:34 PM »
Hi,

Quote
Details? Is this someting that will affect all of us, or was it unique to only certain sites?
It affects all sites. The problem has to do with empty/null values for certain account settings. The best way to describe the problem is through an example.

Go here to register for a new account on the Gentoo forums. Don't change PasswordMaker in any way except to use the master password 123. The Advanced Options dialog uses the following settings:
Quote
hashAlgorithm=md5
   key=123
   data=gentoo.org
   whereToUseL33t=off
   l33tLevel=1
   passwordLength=8
   charset=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`~!@#$%

^&*()_-+={}|[]\:";'<>?,./
   prefix=""
   suffix=""
This generates the password D_WMNrV[

Now right-click on the password field on the webpage and select PasswordMaker->Populate With PasswordMaker. When prompted for the master password, again enter 123. Go to PasswordMaker's Global Settings tab and check Show all passwords on web pages as clear text. Now look at the password field which was previously asterisks. You'll see DEk~eO?e. The settings used this time were:
Quote
hashAlgorithm=md5
   key=123
   data=gentoo.orgnullnull
   whereToUseL33t=off
   l33tLevel=1
   passwordLength=8
   charset=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`~!@#$%
^&*()_-+={}|[]\:";'<>?,./
   prefix=""
   suffix=""
Look closely at the data setting in both cases and you'll see the first is gentoo.org while the second is gentoo.orgnullnull. The data setting is the concatenation of the URL + username + modifier. By default, username and modifier are empty in the tree cells but null in the RDF. The difference between the two is subtle; empty means the empty string ("") while null is a special value. If you're familiar with databases, you're probably familiar with this concept.

In PasswordMaker, the GUI components generate passwords from settings in the accounts tree. To make the GUI user-friendly, I have it replace null values with the empty string. That way, you don't see the word null in the accounts tree.

But the non-GUI components of PasswordMaker (auto-populate when a page loads, CoolKey, and context-menu clicks) use the RDF to generate passwords -- not the accounts tree GUI. It is in the code which reads RDF values for password generation that null is used instead of the empty string.

Does that explain it? By the way, the Master Password Confirmation Hash isn't a bad idea, but seeing this is a real bug, I'm not sure its necessary.

edit: Moved to the bugs forum since this is a legitimite bug.
« Last Edit: December 14, 2005, 11:36:29 PM by Eric H. Jung »

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Passwords don't Match -- again!
« Reply #17 on: December 15, 2005, 02:13:45 AM »
Does this affect accounts?
"I'm not drunk, just sleep deprived."

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Passwords don't Match -- again!
« Reply #18 on: December 16, 2005, 03:35:55 PM »
Unclear. That's why I'd like everyone to try it and let me know.

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Passwords don't Match -- again!
« Reply #19 on: December 16, 2005, 03:44:05 PM »
Doesn't seem to affect accounts, only default settings, which I don't use.
"I'm not drunk, just sleep deprived."

PasswordMaker Forums

Passwords don't Match -- again!
« Reply #19 on: December 16, 2005, 03:44:05 PM »