Open Bug 1267275 Opened 4 years ago Updated 6 months ago

Masterpassword cannot be set due to faulty password entry fields


(Firefox :: Security, defect)

45 Branch
Not set





(Reporter: steam, Unassigned, NeedInfo)


User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160407164938

Steps to reproduce:

I use a hardware USB token that does contain important and less-important passwords. The token acts as a virtual keyboard to the computer and thus it is compatible to any application.

Problem is, with some previous version of FF I could use this device to set the master password in the passwort manager. The passwords do have a fixed length of 32 characters, are completely randomized and contain some special characters.

Currently I am trying to set up a master password in the password manager of freshly installed and configured FF 45 installation. But unfortunately the password manager won't let me do this as it seems that the password in the first and in the second field are not the same. The button to save the password as the new master password stays disabled in the dialog.

Normally I would assume, I just mistyped the second password. But thus I am using my USB token, this is not possible and the passwords in the two fields should definitely be the same.

Actual results:

Passwords not accepted.
The DOM Inspector tells me that the two passwords in the two fields really are not the same and actually none of them is the correct one.

I post them here as example (I will change it on the USB token afterwards):

Upper box contains: =UiF66,8xe215dv6tßj6i0tJ-9xtqj+f
Lower box contains: =UIf66,(xe"!5dv6tßj6i0tj-9XTQj*F
However the correct one would be: =UiF&&;(xE2!5dv&t?j6i=tJ_)XTqJ+F

Expected results:

Password manager should have accepted the password. Passwords should be identical in the two fields.
Component: Untriaged → Security
OS: Unspecified → Windows 10
Hardware: Unspecified → x86
Hardware: x86 → x86_64
Could you write detailed steps to reproduce the issue, please.
Flags: needinfo?(steam)
Steps to reproduce:

1. Go to Options --> Security
2. Check "Use a master password"
3. Password prompt shows to set Passwords

Now the weird Part:

4. Enter Password by hand --> works, OK button is enabled
4. Enter Password by copy & paste --> works, OK button is enabled
4. Use password token to enter password (Token emulates a USB Keyboard - it is typing extremely fast of course!) --> fails, OK button greyed out

Assumption: Firefox cannot cope with the speed in which the token "types" the keys.
Unfortunately it is kind of a black box and I cannot change the typing speed on the token.

However the token works just fine with Thunderbird 45 (on Windows)!
It also works fine with Iceweasel 38 or Firefox 43 (at least on Debian).
Flags: needinfo?(steam)
Sorry for my ignorance, but what is a Token? Can I download/install it to try to reproduce your issue on my Win 7 machine?
Loic - it seems to be a hardware device, so not something that would be downloadable (although maybe there's software that would emulate such a thing?)

lightfox - it might be helpful to know more specifically what this device is (e.g. manufacturer and model number). Also, does the token exhibit the same behavior when using it on other input boxes in Firefox? For example, if you open up the web console (Tools -> Web Developer -> Web Console) and use the token on the input box there, does it insert your password correctly?
Flags: needinfo?(steam)
The token itself is not commercially avaliable (at least not now) but I was told that there is a simple Atmel Atmega USB microcontroller that does have a USB (HID) interface which emulates a keyboard.
Even Windows doesn't see a difference to a normal keyboard in the device manager.

However, I tried some various input boxes in Firefox:
Correct PW:                   =UiF&&;(xE2!5dv&t?j6i=tJ_)XTqJ+F
This comment input box:       =UIF6&,(xe215dv6tßj6i0tj-9xtqj+f
URL input bar:                0uiF66,8xe215dv6t?J6i0tj-)xtqj+f
Developer console:            0uif66,(xe21%dv6tßJ6i0tj_9xtqj*f
About:config search bar:      0uif66,(xE215dv6tßj6i0tj-9XTQj+f
Website's input (pastebin):   =UIF&&;(XE"!%DV&T?J&I=TJ_)XTQJ*F
Second retry:                 0uif66;8XE215dv6tßj6i0tj_9xTqj+f
Third retry:                  0uiF66,(xe2!%Dv6tßj6i0tj-9xtqj*f

Ok after I tested the input on or Google I realized that the passwords change a little bit on every retry.
Seems to affect any input box in Firefox (as I noted, not Thunderbird however)...

I might get some more information on the token.
Just to clarify what the token does:
It has a button. If you press it --> PW will be entered.
Forgot to clear needinfo for my previous comment ... Sorry
Flags: needinfo?(steam)
OS: Windows 10 → Windows
Hardware: x86_64 → All
I think I know where the problem is. Actually I haven't mentioned that I am using a german keyboard layout. Those letters above change for example between 0 and =
0 and = are on the same hardware key on a german keyboard and = will be typed with shift + 0
1 and ! are on the same key
6 and & are on the same key

So I assume that somehow Firefox registers some shift-key events occuring.

But still - Firefox (since 44) is the only application showing that behaviour.

I will do some deeper digging into the hardware token...
(In reply to lightfox1101 from comment #7)

> But still - Firefox (since 44) is the only application showing that
> behaviour.

Interesting. So maybe there is a regression since 44. Could you install Mozregression to narrow down a regression range, please.
See for details.
Run "mozregression --good=44" then copy here the final pushlog.
Flags: needinfo?(steam)
Handy tool!

Just 4 fun I used it to test Firefox 5 (five) and I had the same problem there (and on any other version I tested using that tool).
Which is weird because I just stopped using Firefox for maybe 2 months, and then I just set up a new installation and it didn't work anymore. I also tried it on another computer (Win 7 on it, 32 bit Version of FF).

To clarify, it was definitely working on my firefox installation before.
(Just 4 fun I also reinstalled Firefox on my computer but as mentioned above I see the same issue on other windows installations.)

I might get hold of a whole bunch of FF installations soon (~100 computers I guess) and I will test it on them (token manufacturer is also interested in the issue but he says he can't reproduce it because he is using Linux only).

I did some monitoring on the usb communication using usbmon on Linux with WireShark. I am not an expert in USB protocols but I don't see any difference in the datapackets each time I press the button on the token.

lightfox1101, does this still reproduce using a current version?

You need to log in before you can comment on or make changes to this bug.