Partial Password support

[ghost]

First of all thank you for this best of class extension.

Unfortunately some sites are using nasty feature sometimes called partial password which means that instead of submitting your password you have to write only randomly chosen characters from it.

This (anti)feature combined with password managers like yours is a usability nightmare as you have to manually count position of each chars.

I know that KeePass have PICKCHARS feature which provides some solution.

Also there is other firefox extension which tries to ease some burden but needs manual copy-pasting from existing password manager.

Do you think easypasswords can implement something to make those sites usable?

[palant]

I've never come across any websites doing something like that, from security point of view it's completely crazy. Can you give me some examples? Given that different websites likely implement this different, more examples is better.

[ghost]

Yeah, many people are surprised that such oddities exist. I adjusted proper name of this feature and linked to wiki. Here's explanation .

Here's some links. Sorry for foreign language but you can change it to english. Please write some bogus username and it will ask you for selected password chars.

https://login.ingbank.pl/mojeing/app/#login (switch to English at bottom)

https://aliorbank.pl/hades/do/Login (switch to English at upper right)

https://www.pekao24.pl/ClientLogonUK.html (english)

[palant]

These seems to be fairly similar. I guess we could recognize multiple password fields on a page, all with maxlength="1". The only issue is figuring out in a generic way what characters we are being asked for. For the scenarios here the number the name attribute ends with will do. But these don't seem to be really independent implementations, rather the same contractor working on all of them.

[ghost]

The are more sites from different countries. It's especially popular in banking :smile: However many sites require valid login. Some banks that use this technique are mentioned in http://groups.inf.ed.ac.uk/security/passwords/pps.pdf

You can try those (just fill bogus data for username/birth):

https://www.365online.com/online365/spring/authentication?execution=e1s1 https://www.standardlife.co.uk/c1/login.page

[palant]

Actually, extracting the position from the name attribute has its issues - the first two sites use one-based indexing, the last one zero-based. This can be solved by looking at what other fields are present, but ING only has the fields in the document which are actually meant to be filled in.

[palant]

Thank you for these additional examples. These also have one-based numbering, so this seems to be prevalent. I guess I'll be assuming one-based numbering unless an input element numbered zero is found.

[palant]

The code I added can handle all the examples correctly except for standardlife.co.uk - there the input fields don't offer any clues for the position of the characters in the password. Seems to be as good as it goes.