On Windows, password manager randomly(?) does not offer PIN entry for Microsoft accounts; crashes
Reported by
mr.ber...@gmail.com,
Jan 2
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Steps to reproduce the problem: 0. Be logged in to Windows 10 (I have been using 1809 since a week or so) using a Microsoft Account (user@gmail.com) and a PIN (1234) 1. Go to chrome://settings/passwords 2. Try to view a stored password 3. Be prompted to enter PIN for user@gmail.com (actually, this is a step up from 1803: Windows 1809 seems to remember that I logged in using a PIN, so it asks for the PIN. 1803 would always ask for a password first, forcing me to click "More Choices", click user@gmail.com, choose PIN.) 4. Click "Cancel" (or enter PIN and wait for auth to timeout to be prompted for password/PIN again) 5. Try again What is the expected behavior? 7. Be prompted to enter PIN for user@gmail.com (again) What went wrong? 7. Randomly, be prompted for a user name and password instead. You can click "More choices", but choosing user@gmail.com will not enable PIN entry. It may work after hitting Escape or "Cancel"ing and trying again (or repeating that a couple of times). During this procedure, I have encountered crashes, too - see attached video. Did this work before? N/A Chrome version: 71.0.3578.98 Channel: stable OS Version: 10.0 Flash Version:
,
Jan 2
wfh: Are you the best person to investigate? I suspect this is around the CredUIPromptForCredentials call in //chrome/browser/password_manager/password_manager_util_win.cc. It doesn't look like there has been recent meaningful change to this for over a year, so I suspect it's an OS-type change.
,
Jan 3
+Roger helped building this feature. We have some crash dumps here: https://goto.google.com/xkdgs
,
Jan 4
,
Jan 14
The change I implemented added the "More choices" option. Before that you could only use a password. Given that between Windows 10 1803 and 1809 Microsoft changed the the OS to try to remember what choice you last used, seems like the error might be there. Can you confirm or deny this speculation by using another app that asks for credentials and seeing if the PIN option is properly remembered there? I don't think the crashes are related to this behaviour.
,
Jan 14
If #5 is targeted at me, I am not aware of any other software using CredUIPromptForCredentials, so that is hard to test. If anybody is willing to write a wrapper for the example code listed at [1], I'd be happy to test that. [1] https://docs.microsoft.com/en-us/windows/desktop/secbp/asking-the-user-for-credentials
,
Jan 14
Maybe connecting to a network share? Does revealing passwords in Microsoft Edge ask for authentication?
,
Jan 14
> Does revealing passwords in Microsoft Edge ask for authentication? Sort of, yes: Control Panel\User Accounts\Credential Manager is where you do that. And indeed, repeating my repro steps above lead to similar behavior. Clicking "Show" next to a password opens the Windows Security prompt, which asks for either a user name and password (U/P) or a PIN. Clicking Cancel and Show in quick succession asks for (for example) PIN, U/P, U/P, U/P, PIN, PIN, PIN, U/P, U/P, PIN, PIN, PIN, U/P, U/P, PIN, U/P, PIN, U/P, ... I fail to recognize a pattern. Even after successful PIN entry, the next dialog is not guaranteed to ask for the PIN again. So this seems to be an OS "feature". I cannot reproduce the crash that way, though. |
||||
►
Sign in to add a comment |
||||
Comment 1 by vamshi.kommuri@chromium.org
, Jan 2