maemo.org Bugzilla – Bug 6966
Passwords not being hashed out upon entry
Last modified: 2010-02-04 04:17:40 UTC
You need to log in before you can comment on or make changes to this bug.
SOFTWARE VERSION:1.2009.42-11.203.2 (Settings > General > About product) EXACT STEPS LEADING TO PROBLEM: (Explain in detail what you do (e.g. tap on OK) and what you see (e.g. message Connection Failed appears)) 1. when entering a password or number from drop down boxes, ie for online banking, the numbers entered are not being hashed out and can still see them. The purpose of using a drop down down is to stop key logging. 2. 3. EXPECTED OUTCOME: pass words/numbers should be hashed out ACTUAL OUTCOME: not hashed out REPRODUCIBILITY: (always, less than 1/10, 5/10, 9/10) EXTRA SOFTWARE INSTALLED: OTHER COMMENTS: check out an on line bank login page such as nationwide.co.uk. I believe this is a high security risk issue which needs attention urgently. User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.3; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDC)
Confirmed. I'm not sure it's microb's problem as the page doesn't even validate, but it works as the reporter expects in Firefox 3.5.
(In reply to comment #0) > EXPECTED OUTCOME: > pass words/numbers should be hashed out > ACTUAL OUTCOME: > not hashed out Some security researchers are beginning to question the usefulness of password masking. Just for the debate: 1. http://www.schneier.com/blog/archives/2009/06/the_problem_wit_2.html 2. http://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html
So it turns out that this is the same issue as bug 6598, hence marking as duplicate. *** This bug has been marked as a duplicate of bug 6598 ***
Not actually related to bug 6598 afaict, but rather custom script stuff from https://olb2.nationet.com/signon/javascript/addDDLbehaviour.js The numbers selected in the dropdowns change to * when the dropdown loses focus on tapping somewhere else (browser ~2010.05) which is slightly later than on desktop, but fulfills the apparent goal of showing at most one secret character at once. (There's visibility during selection either way.)