Passkeeper security issue


Recommended Posts

Normally passkeeper prompts user to enter Maxthon password before anything is revealed. However, if user has passkeeper open in a tab when Maxthon is shut down, the next time Maxthon is opened, and any user opens passkeeper again from the list on Last Session tab, then passkeeper opens and gives an unauthorized user full access to all website passwords.

Version 5.1.5.1000

Link to comment
Share on other sites

dont use last session but its easier than that

goto passkeeper and open by entering password 

close maxthon then open again

go to passkeeper and its open - no password required

[sorry if thats what you mean above]

for a browser that trumpets its secure this is one hell of a breach in that security 

Tony     -  Vivaldi 4 on Windows 10 64Bit
Link to comment
Share on other sites

8 hours ago, Tony said:

dont use last session but its easier than that

goto passkeeper and open by entering password 

close maxthon then open again

go to passkeeper and its open - no password required

[sorry if thats what you mean above]

for a browser that trumpets its secure this is one hell of a breach in that security 

You're right; I confirm this is a serious security FUBAR that needs to be fixed immediately.

However, the fact that I had never encountered this bug prompted me the do some experiments.  The findings are:

1. If Passkeeper is  opened, the password entered, and while Passkeeper is left open the browser is closed, you will find that Passkeeper remains open and accessible without the password the next time someone launches the browser.  There's  no need to usethe  Last Session link.

2.  However, if subsequently to having Passkeeper open under either stage of test 1, the browser is cloed with Passkeeper also closed, then upon the next launch of MX5 Passkeeper will require the password.

So the workaround until the bug is fixed is to always close Passkeeper before closing the browser.  By luck rather than intention this has been my practice.  So make it intentional pending the bug fix.

                                 <<SL>>

Link to comment
Share on other sites

19 hours ago, pantantrollo said:

I understand that you are all referring to Passkeeper with user account?

Yes. my normal SnowLeopard account.

18 hours ago, 7twenty said:

Did the same and came to the same conclusion.

Thanks for confirming.

                                         <<SL>>

Link to comment
Share on other sites

Hi Everyone

Entered password to access your Passkeeper account, If it is more than 15 minutes from the last “operation” in the time of entry, then the password is required again. That's the product logic(SnowLeopard said right, it not relate with Last Session, it just relate with time)

It is to prevent users from entering passwords many times in period of time, If you have higher security requirements, you can "exit" Passkeeper feature everytime you left the page

1.png

Link to comment
Share on other sites

1 hour ago, BugSir006 said:

Hi Everyone

Entered password to access your Passkeeper account, If it is more than 15 minutes from the last “operation” in the time of entry, then the password is required again. That's the product logic(SnowLeopard said right, it not relate with Last Session, it just relate with time)

It is to prevent users from entering passwords many times in period of time, If you have higher security requirements, you can "exit" Passkeeper feature everytime you left the page

1.png

you have to be kidding - if thats how you think it should be then your thinking is wrong - passkeeper should lock on exit with no user input - just another reason not to use this badly thought out 'feature'

Tony     -  Vivaldi 4 on Windows 10 64Bit
Link to comment
Share on other sites

  • 3 weeks later...

@Tony , I tend to agree with you that passkeeper should lock on browser exit regardless of whether passkeeper is open in a tab or not. However, I'm not sure why you say the feature is badly "thought out." I wouldn't even consider using a browser these days that didn't manage passwords...they have become too much of a nuisance with all the requirements of IT security departments to try to manually enter them.

Overall I like the feature, but it's not clear to me that everyone in this thread is on the same page. Do we all agree that the desirable behavior would be:

1. Passkeeper should lock on browser exit regardless of whether passkeeper is open in a tab or not.

2. Passkeeper should not require repeat master password entry within 15 minutes as long as the browser stays open.

Many are calling the current behavior a bug, but it's only a bug if it wasn't designed to work that way intentionally, which @BugSir006 seems to be suggesting. On another note, my bigger problem with passkeeper is that it doesn't function well on all websites. One example is:  https://www.managedtechnicalsupportaccess.com

Another problem is that it has no options for password requirements. Some sites have very specific requirements, like at least one number, one of @#$%^&, one Capital letter, one lowercase letter, and at least 10 characters overall. Other sites disallow @#$%^&. At minimum there should be options to set minimum characters, and whether to include @#$%^& or not. Otherwise, there are actually a lot of sites where the password generator cannot be used.

Link to comment
Share on other sites

3 hours ago, vedicaudio said:

1. Passkeeper should lock on browser exit regardless of whether passkeeper is open in a tab or not.

2. Passkeeper should not require repeat master password entry within 15 minutes as long as the browser stays open.

2. 15 minutes is just to prevent "repeated" enter password. This is exactly our current logic.

1. I can understand what you mean, the disagreement between us is whether need to follow the "15 minutes" logic when exit the browser. Now the product logic is just "don't ask your password again" no matter you stay on browser or exit. Later, we will pay attention to these type feedback.

3 hours ago, vedicaudio said:

Another problem is that it has no options for password requirements. Some sites have very specific requirements, like at least one number, one of @#$%^&, one Capital letter, one lowercase letter, and at least 10 characters overall. Other sites disallow @#$%^&. At minimum there should be options to set minimum characters, and whether to include @#$%^& or not. Otherwise, there are actually a lot of sites where the password generator cannot be used.

You can choose the generated password freely on Passkeeper feature. It has option for different requirements:

1.png  2.png

Link to comment
Share on other sites

On 2/1/2018 at 10:08 PM, BugSir006 said:

You can choose the generated password freely on Passkeeper feature. It has option for different requirements:

1.png  2.png

Huh, I guess the devs quietly added that feature recently and I hadn't noticed it yet! Thanks!

However, I would suggest a couple things...Preferences set in the options should be remembered for next password generation. Also, if you check the _$%@# box, it should force at least one of those characters to appear in every generated password. Right now, I have to keep clicking Generate Again until I randomly get a password that meets a particular websites' requirements.

Link to comment
Share on other sites

9 minutes ago, vedicaudio said:

Huh, I guess the devs quietly added that feature recently and I hadn't noticed it yet! Thanks!

However, I would suggest a couple things...Preferences set in the options should be remembered for next password generation. Also, if you check the _$%@# box, it should force at least one of those characters to appear in every generated password. Right now, I have to keep clicking Generate Again until I randomly get a password that meets a particular websites' requirements.

nope, it's been there for awhile now. :5884970a7da3a_1:

Link to comment
Share on other sites

On 2018/2/3 at 10:27 AM, vedicaudio said:

I would suggest a couple things...Preferences set in the options should be remembered for next password generation. Also, if you check the _$%@# box, it should force at least one of those characters to appear in every generated password. Right now, I have to keep clicking Generate Again until I randomly get a password that meets a particular websites' requirements.

It really is, thanks for your report. Through communication, this issue has confirmed as bug. This expected can be arranged to suit your requirements(without refresh the page)and has done arranged in developers schedule. Kindly wait in patient. :p

Link to comment
Share on other sites

  • 1 month later...
On 2/3/2018 at 10:27 AM, vedicaudio said:

Huh, I guess the devs quietly added that feature recently and I hadn't noticed it yet! Thanks!

However, I would suggest a couple things...Preferences set in the options should be remembered for next password generation. Also, if you check the _$%@# box, it should force at least one of those characters to appear in every generated password. Right now, I have to keep clicking Generate Again until I randomly get a password that meets a particular websites' requirements.

@vedicaudio Due to the fact that the password generator has its 'memory', it will remain the rules which you set last time.  So it is a normal phenomenon; It will change the 'memory' by clicking 'Generate again'. In future, and I have mark this issue and maybe there will change and adjustment on this requirement. Thanks!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.