Version: 3.1.2 (using KDE KDE 3.1.2) Installed from: Mandrake RPMs OS: Linux KDE still asks me for a password when I have no password set. If I cleared all my password it still bugs me with that dialog. In addition checking "Remember password" in the dialog has no effect.
Subject: Re: New: Do not ask for password when no password is specified + remember password problem On Saturday 21 June 2003 20:18, you wrote: > KDE still asks me for a password when I have no password set. If I cleared all my password it still bugs me with that dialog. In addition checking "Remember password" in the dialog has no effect. Over which protocol? FTP? HTTP? SMB? ...?
I'm not sure what to say, I"m guessing for any protocol. But, what I'm talking about here is local. I have erased the password fro my root account and user account. Yet, when I acess something as a user which requires root privelages it still asks me for my root password and I have none so I ust click OK and it continues. For example if I open Kcontrol go to System Administration than Login Manager and I click the Administrator button it asks me for a password and again I have none so all I do is press OK. I should not be asked for a password when there is no password for me to enter, this makes no sense.
I hope that computer of yours isn't connected to the Internet, otherwise this lack of security could be a real open door to crackers. Anyway - sounds like a kdesu bug/wishlist. Assuming this is about kdesu, not about Mandrake's dialog for running an application as root.
It is connected, but I have a firewall hardware and software and besides that there are no linux trojas like sub7 and I doubt that anything would really happen. it's not my main workstation. It's only my mom's computer but shes still mainly using windows which also has no passwords at all ;p And yes, this si definetely a KDE thing and not a Mandrake thing because the same thing happens on SuSE.
I have fixed the problem of "Remember password" not working. Not asking for the password when an empty password is set is problematic because testing whether the user has an empty password will cause a one second delay in case the user _does_ have a password set. For this reason we will not implement this. You can try this yourself with "su", it will wait a while before it informs you that the password is incorrect. I have attached a patch to this bugreport in case you want to patch your own version though.
Created attachment 1871 [details] Patch to suppress password-dialog for kdesu if empty password set Patch to suppress password-dialog for kdesu if empty password set
But, there has to be a way you can do it, this really makes KDE seem unpolished. I think it is a lot more important to improve KDE's image and stop bugging the suer everytime than a mere one second delay! I've had a thousands of delays having to always click ok or enter to that dialog!
I reopend this temporily in the hopoe that someone may be able to do as waldo said without a one second delay. Honestly, it's odd that testing for an emptry password would take so long! I'm sure there is a better way to do this, and maybe waldo is using a slow machine but one second is a lot of time for testing an empty password. But, I still firmly believe it is more important that KDE is polished than having to wait an extra second.
No, it's you who doesn't understand the inner workings of the password authentication. The problem here is that we don't test the password for being empty -- we test if an empty password works. And if it doesn't, there'll be a one-second delay before another password can be asked. That's added by the system in order to prevent a brute-force attack or similar, trying to crack the password. If you throttle the rate at which the attacker can try new combinations, he'll take longer to guess. It's that that would have to change in order for the one-second delay to go away.
If I understand correctly the one second delay would only eb for people who do not have an empty password right? Anyway, couldn't the system be changed to not cause a delay when an empty password is entered, there really isn't anything to crack if there isn't any password. So why not tell the system to remove the delay after unsucessfully trying an empty password and only add the delay when a password has charachters. This seems like it should solve the problem. But, i do not know the internals or exactly how it works so I don't know really, please tell me if this would be possible, the current way without your patch just seems like somethign was forgotten when someone sees a password box for an empty password they will think KDE is stupid to ask for a password when none is set.
No, the extra second delay is for everyone that doesn't have an empty password. That's because, as I said, every FAILED attempt at authenticating causes a one-second delay to prevent multiple attempts. The problem is: to find out if an account has an empty password, one has to try to authenticate with no password. That's what causes the failed attempt. If you want to change this, you have to change the authenticating backend that KDE uses.
Ok, fine, fine secuirity is still moreimportant in the end and I assume changing the abckend for thsi si too hard. But, waht about the remember password which never remembers the password, will this be in fixed or removed if can't be fixe din 3.2?
Now that's something else. We'll have to wait for George Staikos's kwallet API which will be used to store passwords. It should be part of 3.2.
Well, if nobody is changing the backend for this and if it is too slow to incorporate this I guess this is resolved =( Anyway, I can't wait for Kwallet =)