search

brinchj / RndPhrase

RndPhrase: Auto-generated secure passwords.
BSD 2-Clause "Simplified" License
21 stars 4 forks source link

Passwords hashed differently in Firefox #7

Open Munksgaard opened 13 years ago

Munksgaard commented 13 years ago

Using Firefox 4.0 and RndPhrase 0.9.14 and if i go to reddit.com the hashes i generate are different from what is generated using rndphrase.appspot.com or the extension for google chrome.

Steps to reproduce: Open Firefox 4.0 with RndPhrase installed and seed set to 'seed'. If you enter 'password' as the password and inspect the value of the field (with firebug or similar) you'll note that the hashed value is 'k77srzzakgctzluv'. Now go the http://rndphrase.appspot.com/ and enter the same values (seed: 'seed', password: 'password', domain: 'reddit.com' and you'll see that the hashed value is 'nfe9qi04nuy97etv'. The same applies using google chrome.

brinchj commented 13 years ago

I cannot reproduce this error. Are you running the latest version of Firefox 4?

I have tested this with RndPhrase 0.9.14 and reddit.com seems to work fine. I get the expected password both when using seed/password and when using my own personal combination.

DrMelon commented 13 years ago

I'm also having this issue. rndphrase.appspot.com hashes my passwords differently than the Chrome plugin. Both versions are 0.9.14.

brinchj commented 13 years ago

Can you give an example website where the Chrome password differs from the one generated at rndphrase.appspot.com?

What version of Chrome are you using?

brinchj commented 12 years ago

I managed to reproduce this issue and think I've finally fixed it in version 0.9.18.

Since Firefox does not do sandboxing like Chrome, the RndPhrase state was shared across tabs. This means that if you'd load twitter.com in one tab, followed by google.com in another, RndPhrase would use "google.com" as the domain for both tabs. That's a lot worse than I had thought; sending the password for the wrong site is a security issue.

Of course it makes it impossible to log into something like reddit.com, where the banner ad is served from redditmedia.com and loaded after the main site (the password would be for redditmedia.com and not reddit.com).

This is fixed by wrapping all state in a function() object that is initialised in a new instance every time RndPhrase is loaded. This should ensure, that no state is ever shared. Coincidentally, this also makes some parts of the code cleaner.

Please try version 0.9.18 (currently in the Mozilla review-queue) and see if this issue has been resolved.