False Invalid Password Error

Hi Dane,

What happens if he tries it in a browser which does *not* have LastPass installed?

(We have seen cases in which, after exhaustive testing, we found that LastPass is wrongly modifying what is being sent, which surprises everyone, but it can be demonstrated using the browser inspector tools).

David

Same result when I had him use a browser that does not have the LastPass extension. I also asked him to change his password and try again and w got the same result.

And the odd thing is that he is having no problem on five other websites that all have the same theme and plugin set.

• This reply was modified 6 years, 9 months ago by Dane Morgan. Reason: Additional information

Hi Dane,

If you use your browser’s developer tools to inspect what’s actually in the POST data that is sent when logging in with the right, but rejected, password, then does it show the expected password?

David

I’m six or seven states away from the user with the issue. Incidentally, I scanned his code and logged in as him without error.

We already tried logging in from a browser that does not have LastPass installed, and this is all working on five other identical sites.

Do you think trying a different authenticator like Authy or deleting and recreating his account on the site would have any effect?

Hi Dane,

. Incidentally, I scanned his code and logged in as him without error.

You’re saying that it works for you on your computer, using the correct password, but not for him on his computer? In that case, you definitely want to tell him to open the Developer Tools in his browser so that he can confirm what password the browser sends to the site. Though you’d assume that this will be identical to what he typed in, this is not necessarily so (we’ve seen cases).

Do you think trying a different authenticator like Authy or deleting and recreating his account on the site would have any effect?

There is only one correct numeric code in every 30 second window, and so every authenticator will either be generating the same code, or be generating an unacceptable code.

Whether re-creating the user account might make any difference, would depend on the cause. I couldn’t say either way on the present info. Getting him to deploy his browser’s network inspector, as mentioned above, is the thing to do, to get more data on what’s going on.

David

Okay, I walked him through getting the info from the network inspector that he is typing in and what the _POST variable is carrying over are *different* strings.

When I deactivate the TFA plugin for his account and he logs in, it posts the password correctly.

• This reply was modified 6 years, 9 months ago by Dane Morgan.

Hi Dane,

This indicates that there is something in the browser – if not LastPass, then something else – that is changing the password field after the login process has begun showing the ‘TFA code’ request. (All elements – i.e. username, password, TFA code are submitted together – they’re all still in the browser until the final submission). LastPass is one extension that does this, but it would seem that you’ve found another. You could use a process of elimination to find out. (i.e. Confirm the diagnosis by using a device that has *never* logged into the account, in ‘private’ mode with no extensions loaded… and then work from there with a process of elimination).

David