Re: Recover email password from Magic Wand
andrews...@yahoo.com
>Hans Wolf wrote:
> > Is it possible to recover a forgotten email password from the Magic
> > Wand?
> Only with several years on a supercomputer to crack the encryption (I hope)
You've got to be kidding me! What is there to crack?
After you enter your wand master password (if any), Opera could just as
easily display the wand passwords on your screen as it can send those
passwords to the target websites. There's no security problem solved by
refusing to display the passwords, so why does Opera refuse to display
them?
Anyway, to answer the OP, the solution is:
Go to the web page which is the target for your wand password (e.g.
your webmail provider). If the login is http, then just login, and
sniff your own network connection for the password. If the login is
https, then set your own private dns server to resolve the webmail
server's hostname to the IP address of your own private web server, set
Opera (or the computer on which Opera is running) to use your private
dns server instead of your ISP's server, copy the webmail provider's
login page to your private web server, and login using the wand as
usual (and ignore Opera's warnings about any incorrect certificates).
Check your web server's logs, and presto, you've got the password. Note
that no decryption of anything is necessary, and no cracking (not even
any trivial cracking) is necessary.
So the question to Opera Software is: why do you make your users go
through such annoying acrobatics in order to display their own
passwords, when you could simply display the passwords on request, like
Bruce Schneier's Password Safe does?
Brian Redmond
> Richard Grevers wrote:
>> Hans Wolf wrote:
>> > Is it possible to recover a forgotten email password from the Magic
>> > Wand?
>> Only with several years on a supercomputer to crack the encryption (I
>> hope)
SNIP
> So the question to Opera Software is: why do you make your users go
> through such annoying acrobatics in order to display their own
> passwords, when you could simply display the passwords on request, like
> Bruce Schneier's Password Safe does?
>
Because it's trivial to get a Wand password...
- Go to the url
- Hit the Wand button
- Immediately hit <Esc>
- Run the following (in my case, as a bookmark on my Personal toolbar) ...
javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0;
j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if
(f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if (s)
alert("Passwords in forms on this page:\n\n" + s); else alert("There are
no passwords in forms on this page.");})();
This has worked perfectly for me for years. Apologies that I can't credit
its author.
Regards,
Brian.
Matthew Winn
It's an interesting use of the word "trivial" you have there. It's
trivial in the cryptographic sense of "not even slightly protected
against recovery", but to the non-programmer user who just wants to
find out what his password is so he can use it on another machine
that block of script is anything but trivial.
--
Matthew Winn
[If replying by email remove the "r" from "urk"]
Brian Redmond
wrote:
> It's an interesting use of the word "trivial" you have there. It's
> trivial in the cryptographic sense of "not even slightly protected
> against recovery", but to the non-programmer user who just wants to
> find out what his password is so he can use it on another machine
> that block of script is anything but trivial.
>
Agreed. My use of the word "trivial" was in the sense that it's very easy
to do. The only skill that it required of me was the ability to create a
bookmark and cut and paste the code into it. Even _I_ can do that!
Regards,
Brian
Frank J. Perricone
> Because it's trivial to get a Wand password...
> - Go to the url
> - Hit the Wand button
> - Immediately hit <Esc>
> - Run the following (in my case, as a bookmark on my Personal toolbar) ...
> javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0;
> j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if
> (f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if (s)
> alert("Passwords in forms on this page:\n\n" + s); else alert("There are
> no passwords in forms on this page.");})();
>
> This has worked perfectly for me for years. Apologies that I can't credit
> its author.
Nice trick. Thanks for that.
--
Frank J. Perricone fr...@dlc.state.vt.us
IT Manager 802-828-4926 Fax: 802-828-2803
Vermont Department of Liquor Control http://www.state.vt.us/dlc/
Gandalf
> On Sat, 29 Jul 2006 00:29:27 +0100, "Brian Redmond" <no...@none.com> wrote:
>
>> Because it's trivial to get a Wand password...
>> - Go to the url
>> - Hit the Wand button
>> - Immediately hit <Esc>
>> - Run the following (in my case, as a bookmark on my Personal toolbar) ...
>> javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0;
>> j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if
>> (f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if (s)
>> alert("Passwords in forms on this page:\n\n" + s); else alert("There are
>> no passwords in forms on this page.");})();
>>
>> This has worked perfectly for me for years. Apologies that I can't credit
>> its author.
>
> Nice trick. Thanks for that.
>
Stupid question...
How do you run the code?
-G
Gandalf
>
> You simply paste it in to the address box, like a URL, and press Enter.
> I then saved it as a bookmark for later use.
>
That was the first thing I tried.
Surprised me that it didn't work.
Ideas?
-G
Frank J. Perricone
> >> How do you run the code?
> > You simply paste it in to the address box, like a URL, and press Enter.
> > I then saved it as a bookmark for later use.
> That was the first thing I tried.
> Surprised me that it didn't work.
Surprises me too. In what sense doesn't it work? Worked fine here.
Gandalf
> On Tue, 01 Aug 2006 04:27:27 GMT, Gandalf <gan...@rivendel.bog> wrote:
>
>>>> How do you run the code?
>
>>> You simply paste it in to the address box, like a URL, and press Enter.
>>> I then saved it as a bookmark for later use.
>
>> That was the first thing I tried.
>> Surprised me that it didn't work.
>
> Surprises me too. In what sense doesn't it work? Worked fine here.
>
In the sense that *nothing* happens. :-/
Error console shows:
> JavaScript - javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; > j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if > (f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if (s) > alert("Passwords in forms on this page:\n\n" + s); else alert("There are > no passwords in forms on this page.");})();
> Javascript URL thread: "javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; > j<F.length; ++j) { ..."
> Syntax error while loading: line 1 of unknown script :
> F,j,f,i; s = ""; F = document.forms; for(j=0; > j<F.lengt
> --------------------------------------------^
Any ideas?
-G
Opera 9.01 b8543 WinXPPro SP2 Java 1.5.0_06-b05
Eik
> In the sense that *nothing* happens. :-/
You could try my bookmarklet instead:
[ javascript:a=document.getElementsByTagName('input');for(i=a.length,s='';i--;)if(a[i].type==='password')s+='Password:
'+a[i].value+"\n";alert(s); ]
Create a new bookmark by right-clicking on the bookmarks panel and paste
in the above code inbetween the square brackets (but not the brackets
themselves) as the URL. Give it a suitable title such as 'Wand password
reader'. You can also give it a nickname if you like such as 'wand' or
'pass' etc.
Then when you're on a login page, make sure Javascript is enabled and
press Ctrl+Enter and a fraction of a second later press Esc to stop the
sumbission. You should then see the form fields change from blank areas
with a yellow outline to having text in them, though obviously the
password field will only show dots/stars. Now type in the nickname or
click on the bookmark and a popup should appear with your password?
Eik
[javascript:a=document.getElementsByTagName('input');for(i=a.length,s='';i--;)if(a[i].type==='password')s+='Password:
'+a[i].value+"\n";alert(s)]
> paste in the above code inbetween the square brackets...
Hmm, I pasted it in square brackets because I thought that would prevent
it wrapping, but it did so anyway in Opera. If it wraps in your newsreader
then make sure everything you copy between the brackets goes back onto 1
line, perhaps by opening Notepad and editing it there before pasting back
into Opera's bookmarks.
Gandalf
Ok, your script works.
I have no idea why the other did not.
Thanks.
-G
Vic Dura
Say, that is very nice and useful. Thanks for the script.
--
To email me directly, remove CLUTTER.
Frank J. Perricone
> > JavaScript - javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; > j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if > (f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if (s) > alert("Passwords in forms on this page:\n\n" + s); else alert("There are > no passwords in forms on this page.");})();
> > Javascript URL thread: "javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; > j<F.length; ++j) { ..."
> > Syntax error while loading: line 1 of unknown script :
> > F,j,f,i; s = ""; F = document.forms; for(j=0; > j<F.lengt
> > --------------------------------------------^
Looks like you wordwrapped it. Unwordwrap it and it'll work fine.