Skip Menu |
 

From: Jacob Morzinski <morzinski@mit.edu>
To: kfw-bugs@mit.edu
Subject: KfW should not display my password in LRUPrincipals
Date: Fri, 25 Apr 2008 17:49:22 -0400
Download (untitled) / with headers
text/plain 1.9KiB

Hello! I think the design of the Net ID Manager has a bug,
and am writing in the hope that design can be improved.


Summary
========
Please give the Network Identity Manager a way to clear or edit
the list of Recently Used Principals. I typo'd my password into
the Username field, and was disturbed to see the password saved
there forever, with no way to clear it from the list.

Context
========
I'm using Kerberos for Windows 3.2.2
NetIDMgr's menu for Help > About says "NetIDMgr 1.3.1.0"
I have Windows XP SP2

Details
========
KfW opened the "New credentials" dialog window on my computer.
I glanced at it, quickly typed my password and pressed the Enter key.
I got a "Decrypt integrity check failed" error.
The error probably means that input focus had been in the "username"
field and not the password field. Ok, I can retype, no problem...

...wait. Argh.
The program keeps a saved list of "usernames", and it saved my password.
I can find no way to clear list of saved usernames.
My password is immortalized in the list of recently-typed usernames.
Great.


Digging around the registry, I found the key
HKCU\Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters
which lets remove my password by editing "LRUPrincipals".

I shouldn't need to go registry-diving for this. Can the NetIDMgr
be improved to allow me to remove entries from the LRUPrincipals list?

One suggestion for the design of this would be to have a UI element
visible in the drop-down list itself -- perhaps the list of saved
usernames can have a separator at the bottom, and then an entry
for "clear this list" or "edit this list". Or perhaps something
in the preferences windows would work. I'm not a GUI designer,
and perhaps an actual designer would have better suggestions.



Thanks for reading, and I hope NetIDMgr can be persuaded to stop
saving typo'd passwords.


Regards,
-Jacob


--
Jacob Morzinski <morzinski@mit.edu>
Client Support Services
Information Services and Technology

Show quoted text
> Thanks for reading, and I hope NetIDMgr can be persuaded to stop
> saving typo'd passwords.
>

Jacob:

In NIMv2 the user interface no longer provides for a username field to
type into so I believe the problem has already been solved.

However, I would like to ask. Did you try removing the incorrect
network identity from the list of Network Identities?

1. Choose Options->Identities from the menu
2. Select the identity in the list
3. Press Remove Identity

Jeffrey Altman

From: Jacob Morzinski <morzinski@MIT.EDU>
Subject: Re: [krbdev.mit.edu #5951] KfW should not display my password in LRUPrincipals
Date: Mon, 28 Apr 2008 12:31:38 -0400
To: rt@krbdev.mit.edu
RT-Send-Cc:
Hi,

Yes, I did. The difficulty is that the list of saved usernames is
separate from the list of identities.

These screenshots may illustrate. Observe that the list of saved
usernames has one entry that is not in the list of Network
identities, and that the list of Network identities has three entries
that are not in the list of saved usernames.
new-credentials.png
Download identities.png
image/png 6.9KiB
identities.png



The information that NIMv2 has no username field leaves me a bit
confused, but I'll hope for the best.

Regards,
-Jacob


On Apr 25, 2008, at 7:44 PM, Jeffrey Altman via RT wrote:
Show quoted text
> However, I would like to ask. Did you try removing the incorrect
> network identity from the list of Network Identities?
>
> 1. Choose Options->Identities from the menu
> 2. Select the identity in the list
> 3. Press Remove Identity
>
Date: Mon, 28 Apr 2008 12:43:19 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5951] KfW should not display my password in LRUPrincipals
RT-Send-Cc:
Jacob Morzinski via RT wrote:
Show quoted text
>
>
>
> The information that NIMv2 has no username field leaves me a bit
> confused, but I'll hope for the best.
>
> Regards,
> -Jacob
>
See
http://www.secure-endpoints.com/netidmgr/proposal-nim-multiple-id-nc-ux.pdf

It includes mockups
Download smime.p7s
application/x-pkcs7-signature 3.2KiB

Message body not shown because it is not plain text.