SafeOnline - credential protection not working

Hi all,

I just installed SafeOnline (Facebook Edition) into my banking VM (an XP 32bit VMWare appliance). The application is working fine, except that the credential protection is not working at all. Verified that with IE8 and FF3.

Just for my understanding: How I got it is that when i.e. a specific password has been saved to a site and I'm trying to enter the same password when I log on to a different site, SO should complain about this, right?

In IE8 SO sometimes offers to save passwords to a protected site, sometimes it does not. Manually assigning credentials does work, but the complain message that I expect when I try to log on to a different site with an already saved password does not appear at all.

This is what I think should happen:
1. open https://bankingsite.com
2. assign password "xyz" to the PrevX entry for https://bankingsite.com
3. open http://someothersite.com
4. try to login to http://someothersite.com with password "xyz"
5. PrevX should complain here

In my environment Step 5 is missing.

So, anybody can help here? Maybe I have a misunderstanding of how SO should work?

Thanks for any advice.

 

Hello,
The credential monitoring components have some logic in plave to prevent poor user experience - first by assessing what the likelihood is that the destination website is not supposed to receive the credentials (i.e. some websites have domains linked to them that are completely different) and that the text of the password won't cause unnecessary disruption (i.e. protecting "xyz" will prevent someone fron typing the alphabet and is too short to be a value password)

If you could either post here or PM me with more specific details on what websites you're trying and a general format of an example password, I'll be able to better determine if there is an issue in your case .

 

Ok, I'll post here as others might be interested in this issue, too.

Let's say I have an email account at a german mail provider called "web.de". My password there matches [0-9A-Za-z]{10}, e.g. "bvbH22QM4E" (of course this is not my real password). The logon page is "https://www2.club.web.de/". The password "bvbH22QM4E" is then assigned to this URL. To simply test credential protection I tried to logon to e.g. "http://www.wilderssecurity.com" with some username and the password "bvbH22QM4E", which is already locked to "https://www2.club.web.de/". I also tried to logon to other websites with the same password, but PrevX always asks me to lock the password to these websites, too:

Would you like SafeOnline to automatically secure the password you have entered? This will lock the password onto the current website to prevent any accidental phishing attacks.

Best,
Tobias

 

Do your passwords contain any special characters such as underscores, full stops, etc? The reason I ask is because password credential protection doesn't work properly if they do.

I have previously reported this and received confirmation that this is indeed an issue. This could possibly account for the behaviour you are seeing - just a thought.

 

Hi pegr,

thanks for the thought. I have read here that this can cause trouble, but for me it's not the case. The password I tested with only contains digits, letters A-Z and a-z.

 

Thank you for the testing. Could you let me know what your OS language and keyboard language are so that I can try reproducing it here?

Thank you!

 

Sure. I'm using german XP SP3 and a german keyboard layout. No german special characters or umlauts were used in my passwords, though (as already mentioned).

To explain the english PrevX message: I simply installed PrevX to use english language.

 

This could potentially be the problem. SafeOnline has some language-specific options to prevent any incompatibilities and it is possible that this is what is causing the issue. We'll be taking a look at correcting this and improving it into a generic workaround in one of the next updates. In the meantime, SafeOnline will still be protecting your credentials from identified malicious websites and will be protecting them against any local software trying to steal information.

Let me know if you have any questions! Thank you for the report!

 

As I am already on this issue, I tried to verify if the behaviour could be PrevX-install-language related. I completely removed PrevX, rebooted and installed again, this time in german.

The result is absolutely the same. PrevX asks me to lock a password to a site that it has already locked to a different site. I verified this with several sites, using https and plain http.

By the way: the question

Would you like SafeOnline to automatically secure the password you have entered? This will lock the password onto the current website to prevent any accidental phishing attacks.

is anyway asked in english language, regardless of which language I use for installing PrevX in.

 

I get the same when I use the same password on my Banking sites and it's always been that way but after you click yes on the Prevx window you have to go back and enter the last character of your password to enter!

TH

 

Thanks, Triple.

I'm trying to understand what you write and have to ask back:

a) Does

mean that I did not get the point of PrevX's password/credential protection feature?

b)

So that means I'll let PrevX lock the same password to one more site? But what if this is NOT e.g. my 2nd banking site, but a phishing site? Then it's too late already, isn't it?

 

The issue isn't with the install language of Prevx, rather, it is likely with the OS language being German and Prevx not being able to accurately track the transmitted keystrokes. We're completely overhauling this feature to make it much easier to use in Prevx 4 which will allow it to also work cross-language much better.

 

a) Going from your last post I was agreeing with you with what you are seeing!

b) Prevx will let you lock it into other sites if you use the same passwords I have not come into contact with phishing banking site myself because I keep use my own links that's where the Prevx window pops-up to make sure you check and to make sure you want to enter the site and use the password there then you look at the info in the Prevx Tab and make sure it's Green on a HTTPS site with a lock!!

HTH,

TH

Example: