| Summary: | If password has been made visible, it should be hidden again the moment the user clicks the "OK" button | ||
|---|---|---|---|
| Product: | [Plasma] Plasma Vault | Reporter: | lesto <lestofante88> |
| Component: | general | Assignee: | Ivan Čukić <ivan.cukic> |
| Status: | RESOLVED FIXED | ||
| Severity: | grave | CC: | nate |
| Priority: | HI | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Platform: | Other | ||
| OS: | Linux | ||
| Latest Commit: | https://invent.kde.org/plasma/plasma-vault/commit/5e6a53ba55fd60ace3adbd4ca57f90a5cd44992f | Version Fixed In: | 5.19.4 |
| Sentry Crash Report: | |||
| Attachments: | attachment-12016-0.html | ||
|
Description
lesto
2020-07-10 12:55:29 UTC
Seems entirely reasonable. Thanks for the anecdote that demonstrates why this is a problem! Git commit c4932f99056ff348e354e95fcbdd1af28f25c5ef by Ivan Čukić. Committed on 12/07/2020 at 15:42. Pushed by ivan into branch 'master'. Reset password field when the user clicks Ok - Clear the password on unsuccessful vault open - If the user clicked to show the password, it gets hidden as soon as Ok is clicked M +2 -0 kded/ui/mountdialog.cpp https://invent.kde.org/plasma/plasma-vault/commit/c4932f99056ff348e354e95fcbdd1af28f25c5ef Git commit 5e6a53ba55fd60ace3adbd4ca57f90a5cd44992f by Ivan Čukić. Committed on 12/07/2020 at 15:45. Pushed by ivan into branch 'Plasma/5.19'. Reset password field when the user clicks Ok - Clear the password on unsuccessful vault open - If the user clicked to show the password, it gets hidden as soon as Ok is clicked M +2 -0 kded/ui/mountdialog.cpp https://invent.kde.org/plasma/plasma-vault/commit/5e6a53ba55fd60ace3adbd4ca57f90a5cd44992f The reveal button is one of the worst things that ever happened to password entry fields... Thanks for reporting this! Thanks for the super fast fix! @Ivan Čukić thanks for the quick patch!! Just want to say to me Revekl button is very nice, i use long passphrase and having to re-enter it 2-3 time became extremely frustrating. With this fix the password field are perfect IMHO (the field will hide and remain hidden right?). Next I will experiment using an HW wallet for password and/or decryption key. It will hide *and* clear the field. This is to follow the new screen locker policy (or did I dream it Nate?). Password reveal button is useful, though it kills the point of having a long passphrase :) The main issue I have with it (apart from the over-the-shoulder ones like this bug was) is that in order to have the reveal button, the string needs to sit in memory unencrypted. If password fields were simpler (no reveal, no left-right arrow keys, no random character deletion/change), each char could be encrypted as soon as it is entered without decrypting the old ones. (In reply to Ivan Čukić from comment #7) > It will hide *and* clear the field. This is to follow the new screen locker > policy (or did I dream it Nate?). Nope, you're right and that's the case now. :) > > Password reveal button is useful, though it kills the point of having a long > passphrase :) > > The main issue I have with it (apart from the over-the-shoulder ones like > this bug was) is that in order to have the reveal button, the string needs > to sit in memory unencrypted. If password fields were simpler (no reveal, no > left-right arrow keys, no random character deletion/change), each char could > be encrypted as soon as it is entered without decrypting the old ones. Could we not still encrypt each character in memory but store them all in an array to preserve the above-mentioned features? Created attachment 130091 [details] attachment-12016-0.html Of you want to encrypt i see no need for any complication, is saving only the hash that will make complications on editing older values. They array of temp hash will make possible to delete right to left but not delete/edit the middle On Mon, 13 Jul 2020, 18:11 Nate Graham, <bugzilla_noreply@kde.org> wrote: > https://bugs.kde.org/show_bug.cgi?id=424063 > > --- Comment #8 from Nate Graham <nate@kde.org> --- > (In reply to Ivan Čukić from comment #7) > > It will hide *and* clear the field. This is to follow the new screen > locker > > policy (or did I dream it Nate?). > Nope, you're right and that's the case now. :) > > > > > Password reveal button is useful, though it kills the point of having a > long > > passphrase :) > > > > The main issue I have with it (apart from the over-the-shoulder ones like > > this bug was) is that in order to have the reveal button, the string > needs > > to sit in memory unencrypted. If password fields were simpler (no > reveal, no > > left-right arrow keys, no random character deletion/change), each char > could > > be encrypted as soon as it is entered without decrypting the old ones. > Could we not still encrypt each character in memory but store them all in > an > array to preserve the above-mentioned features? > > -- > You are receiving this mail because: > You reported the bug. @Nate Characters can't (shouldn't) be encrypted one by one. @lestofante Something like that could be doable with some encryption schemes. |