Bug#503618: kopete: password fields do not accept pasting
On Monday 27 October 2008 13:09, Lisandro Damián Nicanor Pérez Meyer
<perezmeyer@gmail.com> wrote:
> > I believe that rejecting a pasted password encourages users to use
> > shorter passwords and therefore decreases security.
>
> Rejecting passwords means that a password should not be put in the
> clipboard nor any intermediate memory. That's why pasting is disabled. I
> think this bug should be closed, but I leave it to another more experienced
> person.
Firstly let's entirely skip the "intermediate memory" issue. When you are
running on an X system (kopete is an X application) and you don't have
Security Enhanced X (which is not in Lenny and I will be struggling to get it
in Lenny+1) or a similar MAC system then every single X client can read the
keyboard. So whatever password you type in to kopete can be read by
konqueror, kmail, or any of the other network-facing (and thus risky in terms
of security) KDE applications.
In terms of the clipboard, you can of course ssh to a remote machine as root
and then paste a password into an xterm (or konsole) window. Such a password
is probably going to be significantly more important than a Jabber password.
You also can paste a password into a form on any web browser (I do it all the
time with Konqueror). So in the case of using Google Applications for a
Jabber server, I could paste my gmail.com password into a Gmail login window,
but not paste the same password into kopete.
Finally it's a bit silly to support non-SSL protocols (giving the password to
anyone on the net between you and the server) while not supporting pasting
passwords (where all programs that can access the clipboard have the same
security level for X use).
--
Russell Coker <russell@coker.com.au>
http://etbe.coker.com.au/ My Blog
http://etbe.coker.com.au/category/security/ My Security blog posts
http://www.coker.com.au/selinux/play.html My Play Machine, root PW "SELINUX"
Reply to: