Author Topic: Passwords don't Match -- again!  (Read 33641 times)

Jim

  • Guest
Passwords don't Match -- again!
« on: December 09, 2005, 06:45:20 PM »
I have version 1.3.3 running on a Windows 2000 machine and Firefox 1.5.  I seem to have the same problem discussed in an earlier dialog -- the password generated and entered into the password field does not match the one showing in the "Generated Password" field when you open PasswordMaker.  I tried deleting the passwordmaker.rdf file as suggested in that earlier dialog, and it makes no difference.

I have nothing other than the default settings (no account groups) and have not changed any default, other than the one that allows the password to be seen in the web page.  The password in the passwordmaker application is CNdx<8lo but the one that gets pasted into the web page when using the context menu is BxGQ^`q8

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Passwords don't Match -- again!
« Reply #1 on: December 09, 2005, 06:52:25 PM »
What is the website URL?

Guest

  • Guest
Passwords don't Match -- again!
« Reply #2 on: December 09, 2005, 07:09:28 PM »
roxio.com

Offline quixin

  • Hero Member
  • *****
  • Posts: 538
Passwords don't Match -- again!
« Reply #3 on: December 09, 2005, 08:29:25 PM »
Hi Jim,  Read through this topic: http://forums.passwordmaker.org/index.php?showtopic=461

I suspect it is related to your situation.  It specifically discusses setting up accounts, but you can have the same problem using Defaults.

Let us know if this is of any help.

quixin



Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Passwords don't Match -- again!
« Reply #4 on: December 09, 2005, 09:38:36 PM »
Jim,

www.roxio.com doesn't contain a login...

What is the URL of the LOGIN page?

Jim

  • Guest
Passwords don't Match -- again!
« Reply #5 on: December 10, 2005, 11:20:01 AM »
The URL of the login page is https://www.roxio.com/en/jhtml/registration....id%3Dtoast_7_t

According to the PasswordMaker dialog box the URL being used is "roxio.com".  The password generated is "CNdx<8lo".  But the one populated into the actual web page using the context menu is "BxGQ^`q8".

I am using default settings, the master password is stored in memory.  Also I am on a different machine now -- yesterday was a PC at the office, today I am at a Mac at home.  Both running Firefox 1.5.  The two sets of passwords are the same on both machines, though.

I don't think the entry referenced above to the credit union situation applies here, but maybe I missed something.

Offline quixin

  • Hero Member
  • *****
  • Posts: 538
Passwords don't Match -- again!
« Reply #6 on: December 10, 2005, 02:39:32 PM »
I believe the primary reason users get different passwords its caused by the login page URL and the registration page or change password page using a slightly different URL to generate the password.

Try logging in and navagate to the "Change Password" page.  Note the URL on that page and instead of having PasswordMaker populate the new password field, paste in the password that populates to the login page.



Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Passwords don't Match -- again!
« Reply #7 on: December 10, 2005, 08:58:00 PM »
Jim,

Do you have any custom accounts defined? When the password is populated, is the ring icon in the status bar vertical or slanted?

Jim

  • Guest
Passwords don't Match -- again!
« Reply #8 on: December 10, 2005, 10:14:57 PM »
I do have ONE custom account defined for Verizon Wireless.  I think the only thing it does other than the defaults is to use the alpanumeric-only character set for the password.

Let me describe the problem more clearly, since there may be some confusion.  I just tried it again.  I went to the Passwordmaker forums registration page, and also opened up Passwordmaker to the advanced options.  I entered my master password.  The "Using URL field on the passwordmaker advanced options panel says "passwordmaker.org".  Then I went to the enter password field on the passwordmaker registration page -- I used the context menu choosing "Populate with PasswordMaker".  The password populated into the field is DIFFERENT from the one shown in the PasswordMaker advanced options panel.  You can see what I am seeing by looking at this photo:

http://jimackermann.smugmug.com/photos/47783014-L.jpg

(the resolution is not the greatest but you should be able to tell that the passwords are different.  You can get to the full sized file by going here:  http://jimackermann.smugmug.com/gallery/1030381/1/47783014

and clicking on "original" in the list labeled "Other sizes" below the picture.)

I hope this helps describe the problem.  Also, I tried clicking on the button to copy the password onto the clipboard, then I pasted the password into a notepad.  The password pasted is the one in the advanced options panel, NOT the one obtained using the context menu.  (That is how I bumped into the problem in the first place -- I went to change my password at another web site, and rather than use the context menu, I copied the password from the advanced options panel and pasted it into the web page's "new password" field.  I also pasted it into a notepad.  When I then logged out of the site and tried to log back in, I populated the password field with the context menu -- and the login failed.  But when I copied and pasted the password from my notepad where I had saved it, it worked.)

Oh, and I have never noticed the ring being anything other than horizontal.

Robin Monks

  • Guest
Passwords don't Match -- again!
« Reply #9 on: December 13, 2005, 12:56:10 PM »
I also experience this same problem on various sites.  Including Drupal-powered sites.

Robin

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Passwords don't Match -- again!
« Reply #10 on: December 13, 2005, 01:56:50 PM »
I'm looking into this further and will reply back shortly.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Passwords don't Match -- again!
« Reply #11 on: December 14, 2005, 02:18:45 AM »
Hi,

I think I understand what's going on. Here's what I did to try to reproduce the bug or problem or whatever it is (it might just be a misunderstanding of how to use the extension).

1. Created new profile and installed passwordmaker. Didn't create any custom accounts.

2. Went to the register page of forums.passwordmaker.org

3. Opened passwordmaker advanced settings and typed a master password.

4. Checked Global Settings->Show all passwords on web pages as clear text. Note that I left "Do not store master password" as the master password storage setting. I did not change any other settings, nor did I close the PasswordMaker dialog.

5. Right-clicked on the password field on the registration page and selected PasswordMaker->Populate With PasswordMaker. At this point, I'm presented with the following prompt:



If I enter the exact same master password as entered in step 3, the generated passwords are the same. If I enter a different password, the generated passwords are different. Are you certain you entered the same MPW both times? From my perspective as one of the core PasswordMaker developers, this is how it should work--but maybe you were expecting something else? Perhaps my vision is clouded by working too closely with this extension :)

If you don't see this image, please let me know. That means you've selected a different master password storage setting than me, and I'm not testing the same thing as you...

Thank you for your time in helping debug this,
Eric
« Last Edit: December 14, 2005, 02:20:28 AM by Eric H. Jung »

Offline tanstaafl

  • God Member
  • ******
  • Posts: 1363
Passwords don't Match -- again!
« Reply #12 on: December 14, 2005, 01:03:08 PM »
Hi Eric,

I've been giving this some thought, because of the number of problems this causes with new users (and hey, I've been bitten by it a couple of times too)...

I have an idea on how it night be handled, but I may be missing something that would make this a bad idea...

Since it is impossible (?) to reverse engineer the Master Password from a hash, why not do the following:

Create a new function called 'Master Password Confirmation Hash'

When this function is called, PWM uses very secure, randomized Account Settings (randomize the Character Set, randomize the password length from 12-20, etc, which would result in a different hash each time) to generate a password which is then hashed and stored - along with the Settings used to generate it - in encrypted form on disk (or, optionally, only in memory).

Once this hash has been generated, have a little red/green light show up in the Master Password Prompt window, that shows red when the Master Password is not the same as the one that generated the Master Password Confirmation Hash, and green when it is the same.

What do you think?
« Last Edit: December 14, 2005, 01:05:37 PM by tanstaafl »

Jim

  • Guest
Passwords don't Match -- again!
« Reply #13 on: December 14, 2005, 03:45:58 PM »
Eric,

I went through the exact same procedure you did -- created a new profile, installed PasswordMaker, etc.  I made very sure that I changed no settings other than the one that shows passswords on web pages as clear text.  Entered my Master Password into the advanced settings.  I left the "Do not store master password" as the password storage setting.

Then I right-clicked on the passwordmaker forum registration page's password field and selected "Populate with Passwordmaker".  I got the dialog box you show.  I entered my Master Password.

I got a different password on the web page from the one showing in the advanced options settings.

I am absolutely certain that I changed no other settings for PasswordMaker.  I am also dead certain that I entered the same master password -- it's the same password that I use as my Firefox master password, and for the keychain on my Mac at home.  I may "fat finger" it on rare occasion, but certainly not this many times and not this consistently!

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Passwords don't Match -- again!
« Reply #14 on: December 14, 2005, 03:57:28 PM »
Jim,

I've reproduced the bug. Thanks for being persistent. I'll have a fix shortly.

Regards,
Eric

PasswordMaker Forums

Passwords don't Match -- again!
« Reply #14 on: December 14, 2005, 03:57:28 PM »