[
https://issues.apache.org/jira/browse/OFBIZ-1106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12535964
]
Dan Shields commented on OFBIZ-1106:
------------------------------------
Jacques,
I have taken your comments as serious advice to me, and I have noted that you
have correctly pointed out that my patch does not follow the design precedent
of XUI (you did not exactly say it this way). In my own defense: I had pursued
the XUI path the other night but discarded it after estimating the number of
changes that would be required in code that I am unfamiliar with (I'm new
here). For example, the straightforward refactoring of the Input/XEdit
relationship to support substituting a XPassword field at (and only at) the
correct time, is potentially a night-mare without a test harness around the
existing Input behavior. Maybe this is a good way to do things, maybe not.
Someone with more experience with the source in this area may have better
comments than me.
I am puzzled when you say that this phenomenon (asterisk-echo) is everywhere.
I certainly don't see it everywhere, but I suppose it depends on what sw you
are running. It is not present in the login prompts on Linux, BSD or Solaris,
though I admit that graphical display managers (gdm, kdm) tend to exhibit this
fault. Perhaps the past experiences you have had with software are quite
different from mine, as I would expect would be different any other peoples
that we compared. I feel that this phenomenon is a recent trend in graphical
interfaces, on the web especially because it is built in behavior to the
password element of HTML. But this does not say that asterisk-echo is a
standard, nor that it is always a good idea.
The bug I have with showing the password is: anyone else may see that you are
typing your password, and may have some greater idea of what you are typing.
The length of your password as well as pauses that indicate rhythm are
noticeable by casual onlookers. This is especially a common problem in a
situation where:
a) there are many staff members who would like to gain unrestricted access to
the manager account on the POS terminal (the manager account is frequently used
for price changes); and
b) the entry of passwords on a keypad restricts the characters used to 0-9,
this drastically reduces the range of possible passwords.
In many scenarios the cash boxes contain significant money, so they must be
managed in a security conscious way. It matters very little what other
software does, it only matters what we do.
I hope I can do better on my next contrib.
Cheers,
Dan Shields
> Passwords in POS are shown in clear text
> ----------------------------------------
>
> Key: OFBIZ-1106
> URL: https://issues.apache.org/jira/browse/OFBIZ-1106
> Project: OFBiz
> Issue Type: Improvement
> Components: pos
> Affects Versions: SVN trunk
> Environment: All
> Reporter: Chris Lombardi
> Assignee: Jacques Le Roux
> Priority: Minor
> Attachments: input-contents-hidden.patch
>
>
> Passwords entered in the POS are displayed in the clear in the POS input
> panel.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
