search

palant / pfp

A simple and secure browser extension to be used with KeePass databases.
https://pfp.works/
Mozilla Public License 2.0
113 stars 14 forks source link

Same master password, different generated passwords/Sync failing #112

Closed erik-harrison closed 1 year ago

erik-harrison commented 4 years ago

I suspect this is the wrong venue for dealing with this issue, but I haven't been able to find a help or support venue.

I recently installed PfP on two machines, storing one password. The first was installed in a fresh install of Chrome 77 on OS X 10.14, syncing to a Google account.

I then installed PfP on a different OS X machine, also running 10.14, with Firefox 60.8.

On this second machine I signed into sync, and - my one saved password didn't arrive, but I was told sync is successful. I've yet to get home to see if the password is deleted from home machine.

The second machine - my work machine - also seems to be generating different passwords than the home setup.

Now, there is always the possibility that I'm fat fingering the master password (I doubt it but it's possible) - however the syncing issue seems undeniably legit.

palant commented 4 years ago

Does PfP's encryption algorithm depend on the browser in some way?

No, it's the same code everywhere. I am actually testing regularly that all variants generate the same passwords.

Does PfP store synced data in a way that would successfully sync two sets of data if I was mistyping the master password?

No, two instances with different master passwords won't sync.

If not, does a problem with the master password on a second browser wipe the previously synced data with no warning?

No, it rather won't connect.

From the sound of it, you indeed mistyped the master password - with everything else being equal, the passwords definitely will be identical.

Regarding sync, are you certain that both machines are syncing to the same account? PfP won't currently notify you if the storage is empty, it will simply create a new file there. So if one instance synced to one account while the other synced to another you wouldn't notice that.

erik-harrison commented 4 years ago

I only have the one Google account to use, so I can't imagine it syncing to another place. All else being equal I'll assume that the master password is incorrectly being typed. The laptop needs an unrelated hardware repair, once that's complete I'll bring the one computer to the other to do some more thorough troubleshooting. Sorry for the unproductive ticket

On Sun, Oct 6, 2019 at 6:53 AM Wladimir Palant notifications@github.com wrote:

Does PfP's encryption algorithm depend on the browser in some way?

No, it's the same code everywhere. I am actually testing regularly that all variants generate the same passwords.

Does PfP store synced data in a way that would successfully sync two sets of data if I was mistyping the master password?

No, two instances with different master passwords won't sync.

If not, does a problem with the master password on a second browser wipe the previously synced data with no warning?

No, it rather won't connect.

From the sound of it, you indeed mistyped the master password - with everything else being equal, the passwords definitely will be identical.

Regarding sync, are you certain that both machines are syncing to the same account? PfP won't currently notify you if the storage is empty, it will simply create a new file there. So if one instance synced to one account while one synced to another you wouldn't notice that.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/palant/pfp/issues/112?email_source=notifications&email_token=ABZQEAT53VWBUQR2K2GGPGDQNG7S5A5CNFSM4I4KOGF2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEAOHCWI#issuecomment-538734937, or mute the thread https://github.com/notifications/unsubscribe-auth/ABZQEATKF65F2SCBDWJ7Q5DQNG7S5ANCNFSM4I4KOGFQ .

-- Erik

ilyagr commented 3 years ago

I have a similar problem with syncing with Google drive. In my case, the generated passwords are the same.

(Master password: 'notapassword'. Site '(none)' User: 'qqq' Length: 16 Password: W)_@g4A@3c%3=asB )

However, when I sync from the chrome extension (version 2.2.3), and the locally downloaded web PfP on Android (opened with Chrome), the passwords don't get exchanged between the two installations. I guess, for some reason, they created separate backups in Drive. I don't know a way to see the contents of app data storage in Drive to check for sure.

Update: I get the same problem with two instances of PfP running on two desktops, each using the Chrome extension (and signed into the same Google account).

ilyagr commented 3 years ago

Not sure if it's possible, but it might be better if instead of magical app storage, the app created an actual folder in Google Drive and asked for access to that folder only.

palant commented 3 years ago

Not sure if it's possible, but it might be better if instead of magical app storage, the app created an actual folder in Google Drive and asked for access to that folder only.

That’s what I would have preferred as well, and it works this way with Dropbox. Unfortunately, Google Drive doesn’t allow that. If an application doesn’t request access to all files (would be very suboptimal from the security point of view) but rather wants its own folder, Google Drive will hide that folder from the view.

palant commented 3 years ago

I just synced extension data to a Google Drive account, then set up sync for https://pfp.works/webclient/ (on Firefox and Chrome) as well as a locally downloaded copy (on Chrome). So far each has the same data.

the passwords don't get exchanged between the two installations

Are you aware that a sync is only performed once per hour by default? If you want to force an update, there is an “Upload now” button on the sync panel.

ilyagr commented 3 years ago

I did hit that button often. It didn't seem to make any difference. I was a little worried that it's called "Upload now" rather than "Sync now", since for me the functionality matched the name perfectly. :)

I'm not sure why it works for you but not for me. The best guess I have is that Google Drive changed its behavior at some point, and perhaps enables the old behavior for app data created long ago. I'm especially confused why it doesn't work for Chrome extensions for browsers signed into the same Google account on different computers.

It might help to make the app show some debug info about the sync process.

On Tue, Nov 17, 2020 at 5:20 AM Wladimir Palant notifications@github.com wrote:

I just synced extension data to a Google Drive account, then set up sync for https://pfp.works/webclient/ (on Firefox and Chrome) as well as a locally downloaded copy (on Chrome). So far each has the same data.

the passwords don't get exchanged between the two installations

Are you aware that a sync is only performed once per hour by default? If you want to force an update, there is an “Upload now” button on the sync panel.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/palant/pfp/issues/112#issuecomment-728922001, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OTJZFL3D2FUAE73PEI4TSQJ2B7ANCNFSM4I4KOGFQ .

ilyagr commented 3 years ago

I managed to reproduce the "same master password, different generated password" bug. I tried uninstalling the PfP extension from Chrome and reinstalling it into the same browser. Then I used the same 'notapassword' as a master password. What I got:

-- The generated password for site (none) and username qq is now different than it was in https://github.com/palant/pfp/issues/112#issuecomment-727629454: rDNH3#;xUK}(Eu.j

-- Connecting to Google Drive and clicking Upload didn't recover any passwords (either from the same or other computers).

palant commented 3 years ago

-- The generated password for site (none) and username qq is now different than it was in #112 (comment): rDNH3#;xUK}(Eu.j

No, that’s correct behavior. The password for user name qqq is W)_@g4A@3c%3=asB. The password for user name qq is rDNH3#;xUK}(Eu.j on the other hand. Different user name, so different password.

ilyagr commented 3 years ago

You are right, thank you for double checking me. The password for 'qqq' is correct. I don't get any syncing, though, even to restore the data that was stored on the same computer before reinstalling the extension.

On Wed, Nov 18, 2020 at 2:25 AM Wladimir Palant notifications@github.com wrote:

-- The generated password for site (none) and username qq is now different than it was in #112 (comment) https://github.com/palant/pfp/issues/112#issuecomment-727629454: rDNH3#;xUK}(Eu.j

No, that’s correct behavior. The password for user name qqq is W)_@g4A@3c%3=asB. The password for user name qq is rDNH3#;xUK}(Eu.j on the other hand. Different user name, so different password.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/palant/pfp/issues/112#issuecomment-729584206, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OTJZMVD5N3OQKDHXX74LSQOOJXANCNFSM4I4KOGFQ .

palant commented 1 year ago

PfP 3.0 no longer has sync functionality, sync can be done externally.