Forum menu
Microsoft Edge has show password functionality built into it.
That's you saving your password in edge though not a system storing a user's password. Edge (or Chrome or Firefox etc) have to store the password in a reversible form or they cannot pass it to the end system when required. The end systems should store a hash of the password (i.e. a form that cannot be decrypted it's a one way process).
That’s you saving your password in edge
No it isn't.
https://docs.microsoft.com/en-us/microsoft-edge/web-platform/password-reveal
But let's look forward to Cougar's blog on the subject.
I'm surprised they even bothered to document that feature. A password input is just a text input that shows a * for each character. There is no encryption.
It's a crap idea*, but if they're willing to pay** - then crack on.
* - I trained as an IT Auditor in the early 90's and I'm in an equivalent role now
** - I did run a software company for a while
I would though advise them that they were branching off the main design path and they could face considerable upgrade costs long term.
No it isn’t.
https://docs.microsoft.com/en-us/microsoft-edge/web-platform/password-reveal
/a>But let’s look forward to Cougar’s blog on the subject.
Yes it is. And you can do the same thing in any browser by going to 'inspect'/ 'inspect element' and changing the 'type' from 'password' to 'text'.
But all you're seeing there is the whatever you've just typed into the browser, not necessarily the actual password for the system. From that link:
After a user has entered text in the password field, a user may choose the password reveal button
If your password is '0pensesame' and you type in 'iForgot' instead, then you'll see 'iForgot', not your actual password.
For more context, the client is UK based but the workforce is worldwide AND the software is actually running on the employees own workstation
What actually runs locally, a thick client for the app or the entire app? Assuming thick client is there no AD integration (or other identity source) integration possible? I personally hate apps that don't allow linking to an existing identity source - it's just another set of credentials for users to manage and another headache to the service desk.
If it's an entirely local app, what's the purpose of the credentials, does it use an encrypted local DB or something?
As lots of people have already said, it's crap practice to have anyone but the user know their password but the app itself doesn't seem to be helping matters in case
it’s crap practice to have anyone but the user know their password
Indeed it is - but its also common and crap practice to make the password system too difficult for users to use as in my example above
My thinking would be to try to find out why they want it this way ie what problem are they trying to avoid and then see if you can find another way to solve their issues
a thick client
We know this but should never refer to them as such, inside voice only 🙂
Not read the entire thread, but its not such a bad practice, depending on the system and how it is accessed. Setting one very complex password that you never have to enter or remember (eccept for the first time) is probably safer than one that changes regularly and is hard for a user to remember.
We know this but should never refer to them as such, inside voice only
I did once find myself saying 'fing moron' under my breath in a customer meeting. Luckily he didn't hear me. IIRC his network design was physically impossible as in broke many fundamental rules of physics but he kept insisting he was right. His business plan was dependant on it being possible, so he couldn't change the spec. At that point I realised he was indeed a 'fing moron'.
Several years ago I was in a conf call with a client making some ridiculous requests, a colleague in the room with me decided it would be amusing to take me off mute as I started ranting about what they were asking, luckily they only heard a couple of swear words before I realised :p
On browser passwords, I think you're at angry dolphins.
The 'show password' will swap the *s for whatever is actually in the password text box. The only reason it displays asterisks, as has been common practice in the history of every password entry ever, is to prevent shoulder-surfing. There's no actual security here.
However, browsers also typically offer a 'remember me' feature where they will store your credentials. Security here varies between 'not great' and 'none' depending on browser and OS. On Chome if I store them with the browser and want to view passwords then I have to enter a PIN first, which is something. But really, if you want this functionality then you're better off with a trusted Password Manager app.
Postit notes are old tech, I thought people just used the
Memorablewordn
Memorablewordn+1
Memorablewordn+2
system. Thankfully our passwords are slowly being integrated into our account so are being managed for us but the weak link is still log in. The frustrating bit is we carry RFID for physical access so could use that for 2FA! (off site we can use MS authenticator)
squirrelking - our work passwords would not let you do that.