From: | Jacob Morzinski <morzinski@mit.edu> |
To: | kfw-bugs@mit.edu |
Subject: | KfW should not display my password in LRUPrincipals |
Date: | Fri, 25 Apr 2008 17:49:22 -0400 |
Hello! I think the design of the Net ID Manager has a bug,
and am writing in the hope that design can be improved.
Summary
========
Please give the Network Identity Manager a way to clear or edit
the list of Recently Used Principals. I typo'd my password into
the Username field, and was disturbed to see the password saved
there forever, with no way to clear it from the list.
Context
========
I'm using Kerberos for Windows 3.2.2
NetIDMgr's menu for Help > About says "NetIDMgr 1.3.1.0"
I have Windows XP SP2
Details
========
KfW opened the "New credentials" dialog window on my computer.
I glanced at it, quickly typed my password and pressed the Enter key.
I got a "Decrypt integrity check failed" error.
The error probably means that input focus had been in the "username"
field and not the password field. Ok, I can retype, no problem...
...wait. Argh.
The program keeps a saved list of "usernames", and it saved my password.
I can find no way to clear list of saved usernames.
My password is immortalized in the list of recently-typed usernames.
Great.
Digging around the registry, I found the key
HKCU\Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred\Parameters
which lets remove my password by editing "LRUPrincipals".
I shouldn't need to go registry-diving for this. Can the NetIDMgr
be improved to allow me to remove entries from the LRUPrincipals list?
One suggestion for the design of this would be to have a UI element
visible in the drop-down list itself -- perhaps the list of saved
usernames can have a separator at the bottom, and then an entry
for "clear this list" or "edit this list". Or perhaps something
in the preferences windows would work. I'm not a GUI designer,
and perhaps an actual designer would have better suggestions.
Thanks for reading, and I hope NetIDMgr can be persuaded to stop
saving typo'd passwords.
Regards,
-Jacob
--
Jacob Morzinski <morzinski@mit.edu>
Client Support Services
Information Services and Technology