search

clipperz / password-manager

Clipperz is an online vault and password manager that knows nothing about you and your data. Everything you submit is locally encrypted by your browser before being uploaded to Clipperz. The encryption key is a passphrase known only to you and Clipperz could never access your data. Clipperz is built upon open proven and trusted encryption algorithms.
https://clipperz.is
GNU Affero General Public License v3.0
726 stars 135 forks source link

One Time Passwords do not work #125

Open petrsnm opened 6 years ago

petrsnm commented 6 years ago

application version:58e89852c32d9258ed43903e1fc929ce900eb118

For the username, I use the same account username as always. For the passcode, I use the OTP. I've used Firefox, Internet Explorer and Chrome.
I've tried cut and pasting the OTP. I've tried with and without spaces. With and without dashes.

Error logs in the javascript console differ depending on the browser, but the end result is the same: "Login Failed".

Either I'm doing something wrong or the OTP feature is completely broken...

gcsolaroli commented 6 years ago

Hello @petrsnm,

unfortunately this is not the first problem of OTP non working correctly; the feature is not "completely broken" (as every time we try to replicate the problem it has always behaved correctly) but there is definitely something going wrong that we have not identified yet.

The problem we have in investigating the issue is multifold:

Unfortunately, all the times we have looked into this problem, we have never been able to reliably reproduce it; and this means we have not been able to fix it.

I know I have to try to investigate this issue further, but I don't know when I will be able to do it.

Giulio Cesare

petrsnm commented 6 years ago

Can you at least fully clarify how the OTP value should be typed. Should the spaces be used? Should the dashes be used?

Also, even with OTP not working, clipperz is one of my very favorite and most important apps. I have donated via BTC several times to show how much I like it.

4.9 stars already. 5 stars if OTP worked.

On Mar 1, 2018 11:28 AM, "Giulio Cesare Solaroli" notifications@github.com wrote:

Hello @petrsnm https://github.com/petrsnm,

unfortunately this is not the first problem of OTP non working correctly; the feature is not "completely broken" (as every time we try to replicate the problem it has always behaved correctly) but there is definitely something going wrong that we have not identified yet.

The problem we have in investigating the issue is multifold:

  • all data in our DB are encrypted, and so it is not very easy to make sense of it;
  • OTP content is encrypted itself, and as soon as you try to use it (either with the right user or wrong user) its content is deleted.

Unfortunately, all the times we have looked into this problem, we have never been able to reliably reproduce it; and this means we have not been able to fix it.

I know I have to try to investigate this issue further, but I don't know when I will be able to do it.

Giulio Cesare

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/clipperz/password-manager/issues/125#issuecomment-369648290, or mute the thread https://github.com/notifications/unsubscribe-auth/AF_NLcMSCJtEg_ao1rZ_kdG-ZZzBUVTmks5taCHDgaJpZM4SYjwA .

gcsolaroli commented 6 years ago

We have implemented OTP input validation to be as tolerant as possible; you can type in the value with or without spaces; with or without dashes; it also use and encoding that makes similar characters equivalent (zero and 'o' –both capital and lowercase– are handled the same; number one and lowercase 'L'; etc…).

We had issues with "weird" hyphen characters being pasted into the OTP field causing a wrong handling of the actual value, but we should have fixed this problem already.

Unfortunately there is still something that goes wrong (sometimes) that we haven't been able to put our fingers on yet.

We may be getting a new computer using some of the BTC donated by our users; when the new computer will arrive the first task will be to investigate the OTP issues again.

Thanks for the support.

Giulio Cesare

jeremyreeder commented 4 years ago

I, a new user of Clipperz, am having this same problem with OTPs. Whether I include or exclude spaces and hyphens, whether I enter the OTP manually or paste it in, and whether I press Enter or click 'login', the result is always the same: "login failed". I'm using the Brave browser with no extensions.

karthikramas commented 4 years ago

OTPs are generally sent to your mobile phone an they expire after a few minutes or so depending on different websites. There is no point in storing them in you Clipperz account as they will change every time.

you should store your passwords and any other values that wont change every time you access the site in to Clipperz.

tip 1. Press the lock symbol without forgetting , so it will be encrypted)

tip 2. Sometimes I store the website address too, so i dont have to remember them or search again.

Thanks, Karthik

On Mon, Dec 30, 2019 at 2:08 PM Jeremy Reeder notifications@github.com wrote:

I, a new user of Clipperz, am having this same problem with OTPs. Whether I include or exclude spaces and hyphens, whether I enter the OTP manually or paste it in, and whether I press Enter or click 'login', the result is always the same: "login failed". I'm using the Brave browser with no extensions.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/clipperz/password-manager/issues/125?email_source=notifications&email_token=AAFVCKNKQ7TR2Q2MLVMIUJDQ3JBLNA5CNFSM4ETCHQAKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEH27HTQ#issuecomment-569766862, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFVCKNE6CKVWFWISVNSEV3Q3JBLNANCNFSM4ETCHQAA .

jeremyreeder commented 4 years ago

You seem to be talking about something different, @karthikramas. You're right, of course, that it would not make sense to store time-based TOTP codes such as those generated by Google Authenticator. But the topic here is Clipperz OTP codes, which serve a different purpose. Based on the documentation, each Clipperz OTP code will work in place of the main password but will work only once. What some of us are experiencing is that Clipperz OTP codes don't work at all.

karthikramas commented 4 years ago

Ok sorry . If I have misunderstood you. Cheer's.

On Fri, Jan 3, 2020, 11:17 AM Jeremy Reeder notifications@github.com wrote:

You seem to be talking about something different, @karthikramas https://github.com/karthikramas. You're right, of course, that it would not make sense to store time-based TOTP codes such as those generated by Google Authenticator. But the topic here is Clipperz OTP codes, which serve a different purpose. Based on the documentation, each Clipperz OTP code will work in place of the main password but will work only once. What some of us are experiencing is that Clipperz OTP codes don't work at all.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/clipperz/password-manager/issues/125?email_source=notifications&email_token=AAFVCKOXYR3IPBWTTVEDHO3Q35QJBA5CNFSM4ETCHQAKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIBPOWQ#issuecomment-570619738, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFVCKNU3FQZSGX7SV5C3ODQ35QJBANCNFSM4ETCHQAA .