Jump to content
100 Watt Walrus

BUG: Password Audit > Identical has a lot of inaccuracies

Recommended Posts

Beta 6.4.2 (667)

I was poking around in Password Audit > Identical today and have run into a handful of issues:

1) If you're in All Vaults, the sidebar shows a count of "identical" passwords, but when you click on that category to view them, it's empty — the only way to see a list of identical passwords is to choose a particular vault first.

2) The count is inaccurate — in my primary vault, the sidebar shows 22 items, but only 12 appear in the list

3) Many of the items shown as identical are not identical — some of them are similar (the first 16 characters are the same, but last several characters are customized per site)...

4) ...but those first 16 characters are the same in a several of my passwords, so if bug #3 is because the app is (for some reason) only looking at the first XX characters in order to call them "identical," why did it only find 2 "matches"?

5) Of the 12 items shown, 2 of them are grouped all by themselves — listed as matching, but there are no matches.

(And just to head off at the pass anyone who might want to admonish me for using passwords that have 16 characters in common, I have lots of entropy after those 16, and I'm in the process of randomizing all my passwords, but that takes time.)

1558480991_Enpass22identical22bugs.thumb.png.8795f717cd5503c7dc708e899608c25b.png

Share this post


Link to post
Share on other sites

Hey @100 Watt Walrus

Sorry for the trouble you are going through and thank you so much for the explaining the scenario in detail.

On 6/28/2020 at 10:04 AM, 100 Watt Walrus said:

1) If you're in All Vaults, the sidebar shows a count of "identical" passwords, but when you click on that category to view them, it's empty — the only way to see a list of identical passwords is to choose a particular vault first.

2) The count is inaccurate — in my primary vault, the sidebar shows 22 items, but only 12 appear in the list

To check further on this issue, we want little input from your side so please let us know:

  • Total numbers of vaults and which cloud services you are using to sync the data?
  • Number of identical items showing in each vault?
On 6/28/2020 at 10:04 AM, 100 Watt Walrus said:

3) Many of the items shown as identical are not identical — some of them are similar (the first 16 characters are the same, but last several characters are customized per site)...

4) ...but those first 16 characters are the same in a several of my passwords, so if bug #3 is because the app is (for some reason) only looking at the first XX characters in order to call them "identical," why did it only find 2 "matches"?

5) Of the 12 items shown, 2 of them are grouped all by themselves — listed as matching, but there are no matches.

(And just to head off at the pass anyone who might want to admonish me for using passwords that have 16 characters in common, I have lots of entropy after those 16, and I'm in the process of randomizing all my passwords, but that takes time.)

 
One of the possible reasons might be these items (which you have mentioned) have more than one password field. To investigate further on this issue can you please open these three items one by one in edit mode and check if they have more than two password fields. Or please click on the "Show Webform" of each items on the info page and check if there is any password field having a similar password.
 
Thanks for your co-operation.

Share this post


Link to post
Share on other sites

Hi Garima. Here's the details you're looking for:

Five vaults — 3 on separate Google Drive accounts, 1 Dropbox, 1 Box.

My primary vault — where the sidebar shows 22 but the list is only 12 — is one of the Google Drive accounts.

None of these records have more than one password field. Each of them do have additional sensitive fields, but those are not Field Type = Password (one is Text and one in Multiline).

Also, none of them have webforms. I've never used them. I don't even know where to find that feature.

FYI, I created my own simplified templates and always use one of those for every new Item (it's impossible to choose my own default template, so I have Ask to Save New Logins turned off)...

...but actually, I don't even use the templates because it's faster to just have keep empty Items made from those templates at the top of the alphabet in each vault, and just duplicate them whenever I need need a new item. (CMD+D, and just start typing — that's a lot faster of having to click +, then click a category, then click a template). Screenshot below for clarification.

100WattWalrus's non-template template.png

Share this post


Link to post
Share on other sites

Hi @Pratyush Sharma,

Most of the issues seem to be fixed, except for 

On 6/27/2020 at 9:34 PM, 100 Watt Walrus said:

3) Many of the items shown as identical are not identical — some of them are similar (the first 16 characters are the same, but last several characters are customized per site)

For example, All Vaults > Identical currently has a count of 52 (accurate), the biggest group of which is 19 supposedly "identical" passwords — but in fact, while all 19 passwords in this group begin with the same 8 characters, most of them have different additional characters. These 19 shown all together should actually be split into 5 different sets of identical passwords:

  • 3 of them are identical to each other, and consist of just those 8 characters (the unlock code on devices with a shared user account)
  • 2 of them are identical to each other, but not to the to other 17
  • Another 2 are identical to each other, but not to the other 17
  • 9 of them are identical to each other, but not to the other 10
  • 3 of them are identical to each other, but not to the other 16

So it looks like Enpass may not be comparing the entire password before calling them "identical."

That's not necessarily a bad thing in terms of the end goal (totally unique passwords for every account, not variations on a theme), but it is inaccurate, exposes the shortcomings of Enpass's "identical" tool, and potentially misleads the user into thinking they have more matching passwords than they really do.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...