Bug 6966 - Passwords not being hashed out upon entry
: Passwords not being hashed out upon entry
Status: RESOLVED DUPLICATE of bug 6598
Product: Browser
MicroB engine
: 5.0/(1.2009.42-11)
: N900 Maemo
: Low normal (vote)
: ---
Assigned To: unassigned
: browser-other-plugin-bugs
: https://olb2.nationet.com/
: security
:
:
  Show dependency tree
 
Reported: 2009-12-14 21:04 UTC by Paul
Modified: 2010-02-04 04:17 UTC (History)
5 users (show)

See Also:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description Paul (reporter) 2009-12-14 21:04:49 UTC
SOFTWARE VERSION:1.2009.42-11.203.2
(Settings > General > About product)

EXACT STEPS LEADING TO PROBLEM: 
(Explain in detail what you do (e.g. tap on OK) and what you see (e.g. message
Connection Failed appears))
1. when entering a password or number from drop down boxes, ie for online
banking, the numbers entered are not being hashed out and can still see them. 
The purpose of using a drop down down is to stop key logging.
2. 
3. 

EXPECTED OUTCOME:
pass words/numbers should be hashed out
ACTUAL OUTCOME:
not hashed out
REPRODUCIBILITY:
(always, less than 1/10, 5/10, 9/10)

EXTRA SOFTWARE INSTALLED:

OTHER COMMENTS:
check out an on line bank login page such as nationwide.co.uk.  I believe this
is a high security risk issue which needs attention urgently.

User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; GTB6.3; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
3.0.30729; Media Center PC 6.0; MDDC)
Comment 1 Lucas Maneos 2009-12-15 15:48:42 UTC
Confirmed.  I'm not sure it's microb's problem as the page doesn't even
validate, but it works as the reporter expects in Firefox 3.5.
Comment 2 Neil MacLeod maemo.org 2009-12-15 16:02:13 UTC
(In reply to comment #0)
> EXPECTED OUTCOME:
> pass words/numbers should be hashed out
> ACTUAL OUTCOME:
> not hashed out

Some security researchers are beginning to question the usefulness of password
masking. Just for the debate:

1. http://www.schneier.com/blog/archives/2009/06/the_problem_wit_2.html
2. http://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html
Comment 3 Andre Klapper maemo.org 2010-02-03 19:35:33 UTC
So it turns out that this is the same issue as bug 6598, hence marking as
duplicate.

*** This bug has been marked as a duplicate of bug 6598 ***
Comment 4 tuukka.tolvanen nokia 2010-02-04 04:17:40 UTC
Not actually related to bug 6598 afaict, but rather custom script stuff from 
https://olb2.nationet.com/signon/javascript/addDDLbehaviour.js

The numbers selected in the dropdowns change to * when the dropdown loses focus
on tapping somewhere else (browser ~2010.05) which is slightly later than on
desktop, but fulfills the apparent goal of showing at most one secret character
at once. (There's visibility during selection either way.)