1P v 7.4.1 does not generate OTP if secret is longer than 72 characters

Jaco

Just upgraded from 7.3.6 to 7.4.1 on my iPhone and discovered that the OTP in at least one of my logins no longer works. It just shows a blank field with a circled 0 next to it.
The only interesting thing about this OTP is that the secret is 74 characters long.
I tried to remove one character at a time from the secret and at 72 characters it started working again, although the generated 6 digit code is of course incorrect.

---

1Password Version: 7.4.1
Extension Version: Not Provided
OS Version: iOS 12.4
Sync Type: iCloud

Ben

Hi @Jaco

Thanks for taking the time to report this. I'm having trouble finding an OTP secret that is 74 characters (or even 72 characters) long. Which service is it that is creating secrets this long? Please let me know.

Ben

rob

Hi, @Jaco.

I'm one of the developers who has worked on our TOTP library lately. We did recently make some changes to tighten up the parsing of valid secrets for security reasons. I just tested and I can use a secret that is 74 characters successfully. My guess is that your secret is encoded in a technically invalid way which our parser no longer accepts. Fortunately it is not too crazy hard to fix this. It all comes down to the last character.

I hope you still have your original secret intact. If so, use the following table to replace the last character. Find the last character of your 74-character secret below on the left of the arrows, and replace it with the character on the right.

BCD => A
FGH => E
JKL => I
NOP => M
RST => Q
VWX => U
Z23 => Y
567 => 4

Let me know if that fixes the problem for you!

For any other users who happen upon this thread, this table should work for all secrets that are 74 characters long, but if your secret is not working and it's not 74 characters, you may need a different table so please let us know.

Jaco

Hello @rob,

After making the substitution, it is again working as expected.

Thanks,
Jaco

rob

Thanks for the update, @Jaco! I provided the table so that you wouldn't have to reveal anything about the actual secret, but I'm glad to hear it worked. Could you let us know (by email if you prefer) what website gave you this secret so we can investigate further?

If you want to send an email, you can send it to support@1password.com and include a link to this thread.

Jaco

Sure @rob , what email should I use?

rob

Sorry, I had edited my comment to include that.

support@1password.com

ref: RAT-38651-842