[jira] Created: (OFBIZ-1106) Passwords in POS are shown in clear text

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
30 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1106) Passwords in POS are shown in clear text

Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12535964 ]

Dan Shields commented on OFBIZ-1106:
------------------------------------

Jacques,

I have taken your comments as serious advice to me, and I have noted that you have correctly pointed out that my patch does not follow the design precedent of XUI (you did not exactly say it this way).  In my own defense: I had pursued the XUI path the other night but discarded it after estimating the number of changes that would be required in code that I am unfamiliar with (I'm new here).  For example, the straightforward refactoring of the Input/XEdit relationship to support substituting a XPassword field at (and only at) the correct time, is potentially a night-mare without a test harness around the existing Input behavior.  Maybe this is a good way to do things, maybe not.  Someone with more experience with the source in this area may have better comments than me.

I am puzzled when you say that this phenomenon (asterisk-echo) is everywhere.  I certainly don't see it everywhere, but I suppose it depends on what sw you are running.   It is not present in the login prompts on Linux, BSD or Solaris, though I admit that graphical display managers (gdm, kdm) tend to exhibit this fault.  Perhaps the past experiences you have had with software are quite different from mine, as I would expect would be different any other peoples that we compared.  I feel that this phenomenon is a recent trend in graphical interfaces, on the web especially because it is built in behavior to the password element of HTML.  But this does not say that asterisk-echo is a standard, nor that it is always a good idea.  

The bug I have with showing the password is: anyone else may see that you are typing your password, and may have some greater idea of what you are typing.  The length of your password as well as pauses that indicate rhythm are noticeable by casual onlookers.  This is especially a common problem in a situation where:

a) there are many staff members who would like to gain unrestricted access to the manager account on the POS terminal (the manager account is frequently used for price changes); and
b) the entry of passwords on a keypad restricts the characters used to 0-9, this drastically reduces the range of possible passwords.  

In many scenarios the cash boxes contain significant money, so they must be managed in a security conscious way.  It matters very little what other software does, it only matters what we do.

I hope I can do better on my next contrib.
Cheers,
Dan Shields

> Passwords in POS are shown in clear text
> ----------------------------------------
>
>                 Key: OFBIZ-1106
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1106
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: pos
>    Affects Versions: SVN trunk
>         Environment: All
>            Reporter: Chris Lombardi
>            Assignee: Jacques Le Roux
>            Priority: Minor
>         Attachments: input-contents-hidden.patch
>
>
> Passwords entered in the POS are displayed in the clear in the POS input panel.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1106) Passwords in POS are shown in clear text

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12535988 ]

Jacques Le Roux commented on OFBIZ-1106:
----------------------------------------

Thanks for comment Dan,

Actually, I did not criticise your patch (even if you found some advices in my comment ;o). I tried it since then and it's ok to me. The only point was that a new user will not see any chars when typing and may be wondering if the POS is not working or such

I understand and agree about your security concerns. For the password lenght we could enforce the number of characters. There is already something like that in OFBiz (see security.properties). For the number of chars seen on screen (number of * actually) we could use a random factor (x3, x5) when rendering each character.

Maybe your solution is better, it's just that I'm worrying about red herrings ;o)

Any opinion anybody (aleady 2 for, one wondering) ?

> Passwords in POS are shown in clear text
> ----------------------------------------
>
>                 Key: OFBIZ-1106
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1106
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: pos
>    Affects Versions: SVN trunk
>         Environment: All
>            Reporter: Chris Lombardi
>            Assignee: Jacques Le Roux
>            Priority: Minor
>         Attachments: input-contents-hidden.patch
>
>
> Passwords entered in the POS are displayed in the clear in the POS input panel.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1106) Passwords in POS are shown in clear text

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12536113 ]

Wickersheimer Jeremy commented on OFBIZ-1106:
---------------------------------------------

Hi Dan,

You have to consider that your average POS operator is probably not a Unix guru, so printing asterisks won't be out of place.
You should also consider that user want feedback for their input, and i guess when using POS with a touch screen such feedback would be even nicer.

I don't see how knowing the length of a PIN number would decrease security (see credit cards). Managing the POS passwords in a secure way should be done by the administrators enforcing a good password policy.

> Passwords in POS are shown in clear text
> ----------------------------------------
>
>                 Key: OFBIZ-1106
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1106
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: pos
>    Affects Versions: SVN trunk
>         Environment: All
>            Reporter: Chris Lombardi
>            Assignee: Jacques Le Roux
>            Priority: Minor
>         Attachments: input-contents-hidden.patch
>
>
> Passwords entered in the POS are displayed in the clear in the POS input panel.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1106) Passwords in POS are shown in clear text

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12536114 ]

Scott Gray commented on OFBIZ-1106:
-----------------------------------

+1 for asterisks

> Passwords in POS are shown in clear text
> ----------------------------------------
>
>                 Key: OFBIZ-1106
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1106
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: pos
>    Affects Versions: SVN trunk
>         Environment: All
>            Reporter: Chris Lombardi
>            Assignee: Jacques Le Roux
>            Priority: Minor
>         Attachments: input-contents-hidden.patch
>
>
> Passwords entered in the POS are displayed in the clear in the POS input panel.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Updated: (OFBIZ-1106) Passwords in POS are shown in clear text

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dan Shields updated OFBIZ-1106:
-------------------------------

    Attachment: input-with-password.patch

Thanks to all who sent me their criticisms and comments.

I finally redid this patch the way it was intended in the first place.  It is more satisfying because it allows the full style control over elements that is intended in XUI in the first place (including btw the default use of an echoing character).

The method may appear to be more complicated, but overall I am happier with this approach despite my obvious belly-aching about needing test cases for all these little things before I would touch the code.


> Passwords in POS are shown in clear text
> ----------------------------------------
>
>                 Key: OFBIZ-1106
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1106
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: pos
>    Affects Versions: SVN trunk
>         Environment: All
>            Reporter: Chris Lombardi
>            Assignee: Jacques Le Roux
>            Priority: Minor
>         Attachments: input-contents-hidden.patch, input-with-password.patch
>
>
> Passwords entered in the POS are displayed in the clear in the POS input panel.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Issue Comment Edited: (OFBIZ-1106) Passwords in POS are shown in clear text

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12539278 ]

d4n edited comment on OFBIZ-1106 at 10/31/07 9:32 PM:
--------------------------------------------------------------

Thanks to all who sent me their criticisms and comments.

I finally redid this patch (see attachement input-with-password.patch) the way it was intended in the first place.  It is more satisfying because it allows the full style control over elements that is intended in XUI in the first place (including btw the default use of an echoing character).

The method may appear to be more complicated, but overall I am happier with this approach despite my obvious belly-aching about needing test cases for all these little things before I would touch the code.


      was (Author: d4n):
    Thanks to all who sent me their criticisms and comments.

I finally redid this patch the way it was intended in the first place.  It is more satisfying because it allows the full style control over elements that is intended in XUI in the first place (including btw the default use of an echoing character).

The method may appear to be more complicated, but overall I am happier with this approach despite my obvious belly-aching about needing test cases for all these little things before I would touch the code.

 

> Passwords in POS are shown in clear text
> ----------------------------------------
>
>                 Key: OFBIZ-1106
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1106
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: pos
>    Affects Versions: SVN trunk
>         Environment: All
>            Reporter: Chris Lombardi
>            Assignee: Jacques Le Roux
>            Priority: Minor
>         Attachments: input-contents-hidden.patch, input-with-password.patch
>
>
> Passwords entered in the POS are displayed in the clear in the POS input panel.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Updated: (OFBIZ-1106) Passwords in POS are shown in clear text

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dan Shields updated OFBIZ-1106:
-------------------------------

    Comment: was deleted

> Passwords in POS are shown in clear text
> ----------------------------------------
>
>                 Key: OFBIZ-1106
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1106
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: pos
>    Affects Versions: SVN trunk
>         Environment: All
>            Reporter: Chris Lombardi
>            Assignee: Jacques Le Roux
>            Priority: Minor
>         Attachments: input-contents-hidden.patch, input-with-password.patch
>
>
> Passwords entered in the POS are displayed in the clear in the POS input panel.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Commented: (OFBIZ-1106) Passwords in POS are shown in clear text

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

    [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12540070 ]

Jacques Le Roux commented on OFBIZ-1106:
----------------------------------------

Dan,

I tried your patch (on release4.0 since POS is unusable in trunk for now : OFBIZ-1385). It works well, good job. Using net.xoetrope.swing.XPassword is really the  good idea.

I wil not apply it to release before testing it in trunk (it should work without problem) but please see also the following remark about your patch.

For new file you should not put any specific svn:properties (author for instance) but as you granted your right to Apache foundation you should put the Apache header. Please look into APACHE2_HEADER file in OFBiz root.

In case of doubt please refer to http://docs.ofbiz.org/display/OFBADMIN/OFBiz+Contributors+Best+Practices

Thanks for your work

> Passwords in POS are shown in clear text
> ----------------------------------------
>
>                 Key: OFBIZ-1106
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1106
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: pos
>    Affects Versions: SVN trunk
>         Environment: All
>            Reporter: Chris Lombardi
>            Assignee: Jacques Le Roux
>            Priority: Minor
>         Attachments: input-contents-hidden.patch, input-with-password.patch
>
>
> Passwords entered in the POS are displayed in the clear in the POS input panel.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Updated: (OFBIZ-1106) Passwords in POS are shown in clear text

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dan Shields updated OFBIZ-1106:
-------------------------------

    Attachment: input-with-password.patch

This patch includes the Apache headers.

> Passwords in POS are shown in clear text
> ----------------------------------------
>
>                 Key: OFBIZ-1106
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1106
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: pos
>    Affects Versions: SVN trunk
>         Environment: All
>            Reporter: Chris Lombardi
>            Assignee: Jacques Le Roux
>            Priority: Minor
>         Attachments: input-contents-hidden.patch, input-with-password.patch, input-with-password.patch
>
>
> Passwords entered in the POS are displayed in the clear in the POS input panel.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Closed: (OFBIZ-1106) Passwords in POS are shown in clear text

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-1106.
----------------------------------

       Resolution: Fixed
    Fix Version/s: SVN trunk

Thanks Dan,

Your patch is in trunk revision: 593671  


> Passwords in POS are shown in clear text
> ----------------------------------------
>
>                 Key: OFBIZ-1106
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-1106
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: pos
>    Affects Versions: SVN trunk
>         Environment: All
>            Reporter: Chris Lombardi
>            Assignee: Jacques Le Roux
>            Priority: Minor
>             Fix For: SVN trunk
>
>         Attachments: input-contents-hidden.patch, input-with-password.patch, input-with-password.patch
>
>
> Passwords entered in the POS are displayed in the clear in the POS input panel.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

12