maximum template creates wrong passwords

Question

maximum template creates wrong passwords

brightdroid opened this issue 10 years ago · 7 comments

brightdroid commented 10 years ago

Try it at: https://tmthrgd.github.io/mpw-js/

Full name: John Smith
Master Password: 123
Site: dropbox.com
Counter: 1
Template: Maximum
Type: Password

The result is: mWLnlO-i0CpF&ZFT@@5;
It should be: mnc*1KGi%TpnaZFT!L5;

Answer 1 · 2014-11-05T18:23:22.000Z

Do you have any idea where the bug might be?

Thanks

Answer 2 · 2014-11-06T09:17:15.000Z

@brightdroid I'm looking into it. It's hard to properly test this at the moment as @lhunath hasn't provided any test vectors (yet).

I'm not sure what the cause is yet (I can't even categorically say that a bug exists) but I am working on it.

Answer 3 · 2014-11-06T09:21:14.000Z

Thanks, hope you'll find the issue soon... I rely on your library for my chrome extension (in development).

Answer 4 · 2014-11-06T10:16:39.000Z

@brightdroid I have found the issue. The definition of the x template character changed between the time I implemented this algorithm and now, see The Master Password Algorithm June 25 and now The Master Password Algorithm.

I will prepare to merge the correction in but I will hold off until I receive some sort of confirmation from @lhunath that this was an intentional change and is permanent. (Surely this causes breaking changes?!)

Answer 5 · 2014-11-06T10:22:02.000Z

@brightdroid That actually sounds like a really neat use. When I started with this a Chrome extensions was my intention but that was shelved when I realised I neither wanted to make a Chrome extension nor used Chrome. 😛

Answer 6 · 2014-11-06T10:25:04.000Z

Great this was simple :-P
Thanks so far... I think the extension should be online next week. (needs some final touches)

Answer 7 · 2014-11-06T12:31:44.000Z

@tmthrgd The change was intentional as the documentation did not accurately reflect the implementation. There is a related bug: https://project.lyndir.com/youtrack/issue/MP-12

In fact, it would be great if you guys ( @tmthrgd and @brightdroid ) would join us at project.lyndir.com in coordinating the different versions of Master Password implementations so as to avoid any double work. I'll assign add a Chrome subsystem and assign it to you, @brightdroid, and then we can see about getting it officially verified and reviewed and referred to from the homepage.