[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-panel-devel
Subject: D9040: Revert "[Lock Screen / Login] Add "reveal password button""
From: Martin_Flöser <noreply () phabricator ! kde ! org>
Date: 2017-11-29 16:42:16
Message-ID: 20171129164216.96302.D90D4D083B4BC93F () phabricator ! kde ! org
[Download RAW message or body]
graesslin added a comment.
In https://phabricator.kde.org/D9040#173465, @ngraham wrote:
> On most touch platforms, only the last character in password prompts is revealed, \
one-at-a-time. It might make more sense to implement that than to keep the reveal \
button.
On touch platforms: yes, but this is hybrid. Do you want your password being \
revealed on a big screen when entering with keyboard? Probably not. Thus the reveal \
button is a better solution than reveal while typing in this case.
People here know that I'm a security fanatic. And I honestly fail to see the issue \
with the button. Yes, if you enter half your password and move away someone else \
could reveal your password. Similar if you mistype and move away someone could see \
your password. This is a highly unrealistic scenario and doesn't allow to get the \
real password. It's only a problem if you use a password like 08041985 (my birthday) \
and someone would know that 09041985 has an obvious error. If you use such kind of \
password it doesn't matter at all: your friends will be able to break it.
Yes I see the concerns, but just because there are concerns means we need to \
destroy the usability here. Security and usability are always in conflict with each \
other and one needs to find the right level. Sometimes the security should win, \
sometimes the usability. In this case usability should win. If there are valid \
security concerns we should address them. I could imagine:
- show info that the password got revealed
- clear the text fields after certain amount of inactivity
- clear the text field after incorrect password
- make button not clickable, but only on touch (might not work on X, but heck)
REPOSITORY
R120 Plasma Workspace
BRANCH
master
REVISION DETAIL
https://phabricator.kde.org/D9040
To: davidedmundson, broulik
Cc: graesslin, ngraham, broulik, plasma-devel, ZrenBot, progwolff, lesliezhai, \
ali-mohamed, jensreuterberg, abetts, sebas, apol, mart
[Attachment #3 (unknown)]
<table><tr><td style="">graesslin added a comment.
</td><a style="text-decoration: none; padding: 4px 8px; margin: 0 8px 8px; float: \
right; color: #464C5C; font-weight: bold; border-radius: 3px; background-color: \
#F7F7F9; background-image: linear-gradient(to bottom,#fff,#f1f0f1); display: \
inline-block; border: 1px solid rgba(71,87,120,.2);" \
href="https://phabricator.kde.org/D9040" rel="noreferrer">View \
Revision</a></tr></table><br /><div><div><blockquote style="border-left: 3px solid \
#8C98B8; color: #6B748C;
font-style: italic;
margin: 4px 0 12px 0;
padding: 8px 12px;
background-color: #F8F9FC;">
<div style="font-style: normal;
padding-bottom: 4px;">In <a href="https://phabricator.kde.org/D9040#173465" \
style="background-color: #e7e7e7; border-color: #e7e7e7;
border-radius: 3px;
padding: 0 4px;
font-weight: bold;
color: black;text-decoration: none;" rel="noreferrer">D9040#173465</a>, <a \
href="https://phabricator.kde.org/p/ngraham/" style=" border-color: #f1f7ff;
color: #19558d;
background-color: #f1f7ff;
border: 1px solid transparent;
border-radius: 3px;
font-weight: bold;
padding: 0 4px;" rel="noreferrer">@ngraham</a> wrote:</div>
<div style="margin: 0;
padding: 0;
border: 0;
color: rgb(107, 116, 140);"><p>On most touch platforms, only the last \
character in password prompts is revealed, one-at-a-time. It might make more sense to \
implement that than to keep the reveal button.</p></div> </blockquote>
<p>On touch platforms: yes, but this is hybrid. Do you want your password being \
revealed on a big screen when entering with keyboard? Probably not. Thus the reveal \
button is a better solution than reveal while typing in this case.</p>
<p>People here know that I'm a security fanatic. And I honestly fail to see the \
issue with the button. Yes, if you enter half your password and move away someone \
else could reveal your password. Similar if you mistype and move away someone could \
see your password. This is a highly unrealistic scenario and doesn't allow to \
get the real password. It's only a problem if you use a password like 08041985 \
(my birthday) and someone would know that 09041985 has an obvious error. If you use \
such kind of password it doesn't matter at all: your friends will be able to \
break it.</p>
<p>Yes I see the concerns, but just because there are concerns means we need to \
destroy the usability here. Security and usability are always in conflict with each \
other and one needs to find the right level. Sometimes the security should win, \
sometimes the usability. In this case usability should win. If there are valid \
security concerns we should address them. I could imagine:</p>
<ul class="remarkup-list">
<li class="remarkup-list-item">show info that the password got revealed</li>
<li class="remarkup-list-item">clear the text fields after certain amount of \
inactivity</li> <li class="remarkup-list-item">clear the text field after incorrect \
password</li> <li class="remarkup-list-item">make button not clickable, but only on \
touch (might not work on X, but heck)</li> </ul></div></div><br \
/><div><strong>REPOSITORY</strong><div><div>R120 Plasma \
Workspace</div></div></div><br \
/><div><strong>BRANCH</strong><div><div>master</div></div></div><br \
/><div><strong>REVISION DETAIL</strong><div><a \
href="https://phabricator.kde.org/D9040" \
rel="noreferrer">https://phabricator.kde.org/D9040</a></div></div><br \
/><div><strong>To: </strong>davidedmundson, broulik<br /><strong>Cc: \
</strong>graesslin, ngraham, broulik, plasma-devel, ZrenBot, progwolff, lesliezhai, \
ali-mohamed, jensreuterberg, abetts, sebas, apol, mart<br /></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic