Don't offer to save WRONG passwords!

What do you love about LastPass? What do you hate about it? Tell us why you like it, why you don't, and why.

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Don't offer to save WRONG passwords!

Postby ericosman » Mon Nov 05, 2018 6:17 pm

I typed in a WRONG password on a website (I'm on windows 10 using chrome browser), and even though the website declared "wrong password try again", the lastpass software still popped up a box asking me if I want to save the password.

Please don't offer to save passwords that have been declared to be wrong!

Thanks. eric osman at rcn dot com seven eight one nine one oh five five one three
ericosman
 
Posts: 5
Joined: Thu Oct 29, 2015 10:44 pm

Re: Don't offer to save WRONG passwords!

Postby Rich4422 » Tue Nov 06, 2018 8:53 pm

LastPass doesn't and can't know if typed password is wrong. It only notices a different password from the one stored in LastPass.
Rich4422
 
Posts: 57
Joined: Tue Jan 02, 2018 8:53 am

Re: Don't offer to save WRONG passwords!

Postby ericosman » Wed Nov 07, 2018 12:46 pm

>>> LastPass doesn't and can't know if typed password is wrong

Hi Rich,
Thanks for responding. I certainly am convinced of the "doesn't", but not convinced of the "can't". Perhaps we should replace "can't" with "hasn't been programmed to attempt to determine".
ericosman
 
Posts: 5
Joined: Thu Oct 29, 2015 10:44 pm

Re: Don't offer to save WRONG passwords!

Postby Rich4422 » Wed Nov 07, 2018 2:43 pm

To be honest, it's not something that can be programmed. Websites nowdays don't know if any password belongs to any account. Websites can only tell if username exists in database. Passwords on all legitimate websites are always salted, so the system has actually stored salted password and not the password you are typing. That's why secure websites will give you prompt "Username or password is incorrect". They won't tell you if it's specifically your password that is incorrect. In short, there's simply no way of communicating between password manager and website that would help to determine "wrong" password. It doesn't exist and if it would, it would be a security risk and LastPass would never implement it.
Rich4422
 
Posts: 57
Joined: Tue Jan 02, 2018 8:53 am

Re: Don't offer to save WRONG passwords!

Postby ericosman » Wed Nov 07, 2018 3:04 pm

If I can see the message on my screen saying "incorrect username or password", then lastpass can also see the message, right? So my suggestion is that lastpass not pop up a box in that case saying "should lastpass remember this password?".
ericosman
 
Posts: 5
Joined: Thu Oct 29, 2015 10:44 pm

Re: Don't offer to save WRONG passwords!

Postby Rich4422 » Wed Nov 07, 2018 11:39 pm

LastPass can't see that message. LastPass can detect input fields, it can't scan for popup messages or simple text prompts.
Rich4422
 
Posts: 57
Joined: Tue Jan 02, 2018 8:53 am

Re: Don't offer to save WRONG passwords!

Postby ericosman » Thu Nov 08, 2018 12:11 am

when you say "lastpass can't scan for popup messages", maybe you mean "it could be programmed to, but no one has done it". Years ago, I easily programmed in javascript to read every single text message that came to the browser tab. I did it with ajax calls that supplied the input, so that the response to the ajax call contained the text. So, couldn't lastpass easily be programmed to do that sort of thing and hence be able to read the "incorrect username or password" string so that it could know not to ask the user "should I save this password?"
ericosman
 
Posts: 5
Joined: Thu Oct 29, 2015 10:44 pm

Re: Don't offer to save WRONG passwords!

Postby FlyingHawk » Thu Nov 08, 2018 12:11 pm

It depends on how bloated and slow you want LastPass to be.
Even then, there's no *reliable* way to detect it. You can extract all the text, sure. But then how do you actually detect it and with minimum false positive/negative?
Websites are so different from each other, across different regions and *languages*, with no *standard* messages. It's simply not practical to do it for all sites.

Development time (which is a limited resource) is better spent on other things.
FlyingHawk
 
Posts: 740
Joined: Wed Mar 18, 2015 12:04 pm

Re: Don't offer to save WRONG passwords!

Postby jpenny84 » Thu Nov 08, 2018 12:39 pm

The potential performance decrease of dynamically analyzing dialog boxes would likely outweigh any practical benefit.
jpenny84
 
Posts: 8384
Joined: Tue Mar 06, 2012 9:10 pm

Re: Don't offer to save WRONG passwords!

Postby Rich4422 » Thu Nov 08, 2018 2:13 pm

As FlyingHawk said, there's no possible way to do it universally and reliably. Ultimately it's not even about decreased performance, the sheer concept of what you are proposing is simply a fairytale. So no, LastPass can't do that. Nobody in their right mind would even try to do that. Not to mention the fact that it isn't about some default strings. LastPass is translated to 40+ languages by volunteers. You are proposing to fight an annoying mosquito in your house with a tank.
Rich4422
 
Posts: 57
Joined: Tue Jan 02, 2018 8:53 am


Return to Feedback

Who is online

Users browsing this forum: Google [Bot] and 27 guests