[jira] Created: (OFBIZ-1106) Passwords in POS are shown in clear text

    [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12535964 ]

Dan Shields commented on OFBIZ-1106:
------------------------------------

Jacques,

I have taken your comments as serious advice to me, and I have noted that you have correctly pointed out that my patch does not follow the design precedent of XUI (you did not exactly say it this way).  In my own defense: I had pursued the XUI path the other night but discarded it after estimating the number of changes that would be required in code that I am unfamiliar with (I'm new here).  For example, the straightforward refactoring of the Input/XEdit relationship to support substituting a XPassword field at (and only at) the correct time, is potentially a night-mare without a test harness around the existing Input behavior.  Maybe this is a good way to do things, maybe not.  Someone with more experience with the source in this area may have better comments than me.

I am puzzled when you say that this phenomenon (asterisk-echo) is everywhere.  I certainly don't see it everywhere, but I suppose it depends on what sw you are running.   It is not present in the login prompts on Linux, BSD or Solaris, though I admit that graphical display managers (gdm, kdm) tend to exhibit this fault.  Perhaps the past experiences you have had with software are quite different from mine, as I would expect would be different any other peoples that we compared.  I feel that this phenomenon is a recent trend in graphical interfaces, on the web especially because it is built in behavior to the password element of HTML.  But this does not say that asterisk-echo is a standard, nor that it is always a good idea.  

The bug I have with showing the password is: anyone else may see that you are typing your password, and may have some greater idea of what you are typing.  The length of your password as well as pauses that indicate rhythm are noticeable by casual onlookers.  This is especially a common problem in a situation where:

a) there are many staff members who would like to gain unrestricted access to the manager account on the POS terminal (the manager account is frequently used for price changes); and
b) the entry of passwords on a keypad restricts the characters used to 0-9, this drastically reduces the range of possible passwords.  

In many scenarios the cash boxes contain significant money, so they must be managed in a security conscious way.  It matters very little what other software does, it only matters what we do.

I hope I can do better on my next contrib.
Cheers,
Dan Shields

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12535988 ]

Jacques Le Roux commented on OFBIZ-1106:
----------------------------------------

Thanks for comment Dan,

Actually, I did not criticise your patch (even if you found some advices in my comment ;o). I tried it since then and it's ok to me. The only point was that a new user will not see any chars when typing and may be wondering if the POS is not working or such

I understand and agree about your security concerns. For the password lenght we could enforce the number of characters. There is already something like that in OFBiz (see security.properties). For the number of chars seen on screen (number of * actually) we could use a random factor (x3, x5) when rendering each character.

Maybe your solution is better, it's just that I'm worrying about red herrings ;o)

Any opinion anybody (aleady 2 for, one wondering) ?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12536113 ]

Wickersheimer Jeremy commented on OFBIZ-1106:
---------------------------------------------

Hi Dan,

You have to consider that your average POS operator is probably not a Unix guru, so printing asterisks won't be out of place.
You should also consider that user want feedback for their input, and i guess when using POS with a touch screen such feedback would be even nicer.

I don't see how knowing the length of a PIN number would decrease security (see credit cards). Managing the POS passwords in a secure way should be done by the administrators enforcing a good password policy.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12536114 ]

Scott Gray commented on OFBIZ-1106:
-----------------------------------

+1 for asterisks

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dan Shields updated OFBIZ-1106:
-------------------------------

    Attachment: input-with-password.patch

Thanks to all who sent me their criticisms and comments.

I finally redid this patch the way it was intended in the first place.  It is more satisfying because it allows the full style control over elements that is intended in XUI in the first place (including btw the default use of an echoing character).

The method may appear to be more complicated, but overall I am happier with this approach despite my obvious belly-aching about needing test cases for all these little things before I would touch the code.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12539278 ]

d4n edited comment on OFBIZ-1106 at 10/31/07 9:32 PM:
--------------------------------------------------------------

Thanks to all who sent me their criticisms and comments.

I finally redid this patch (see attachement input-with-password.patch) the way it was intended in the first place.  It is more satisfying because it allows the full style control over elements that is intended in XUI in the first place (including btw the default use of an echoing character).

The method may appear to be more complicated, but overall I am happier with this approach despite my obvious belly-aching about needing test cases for all these little things before I would touch the code.


      was (Author: d4n):
    Thanks to all who sent me their criticisms and comments.

I finally redid this patch the way it was intended in the first place.  It is more satisfying because it allows the full style control over elements that is intended in XUI in the first place (including btw the default use of an echoing character).

The method may appear to be more complicated, but overall I am happier with this approach despite my obvious belly-aching about needing test cases for all these little things before I would touch the code.

 
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dan Shields updated OFBIZ-1106:
-------------------------------

    Comment: was deleted

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12540070 ]

Jacques Le Roux commented on OFBIZ-1106:
----------------------------------------

Dan,

I tried your patch (on release4.0 since POS is unusable in trunk for now : OFBIZ-1385). It works well, good job. Using net.xoetrope.swing.XPassword is really the  good idea.

I wil not apply it to release before testing it in trunk (it should work without problem) but please see also the following remark about your patch.

For new file you should not put any specific svn:properties (author for instance) but as you granted your right to Apache foundation you should put the Apache header. Please look into APACHE2_HEADER file in OFBiz root.

In case of doubt please refer to http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices

Thanks for your work

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dan Shields updated OFBIZ-1106:
-------------------------------

    Attachment: input-with-password.patch

This patch includes the Apache headers.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-1106.
----------------------------------

       Resolution: Fixed
    Fix Version/s: SVN trunk

Thanks Dan,

Your patch is in trunk revision: 593671  


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.