bad feature

[Keunwoo Lee]

On Wed, 23 Oct 2002, Thomas Zander wrote:

> > On Mit, 23 Okt 2002, Thomas Zander wrote:
> > 
> > > Since some time konqueror clears the password fields so I can't press back and
> > > re-commit. I know this feature from IE and always hated it, its just very bad
> > > for usability.
> >
> > But its very good for security :)
> 
> I disagree; its a false sense of security. If only since session cookies are still
> available. Now; if you empty the password field when a cookie that is set as a result
> of that form is expired; then it makes sense. Now its just annoying and does not add
> any security.
> 
> Again; closing konqueror (or even logging out of X) is the only way you
> can be 'secure' in this matter.

Actually, KDE stores cookies in a separate process (the kcookiejar), and
closing Konqueror doesn't wipe the cookies.  Logging out of X ups the
security level, but if you're going to be fussy to that degree, then the
only way to *really* be "secure" is to rewrite KDE to use locked memory
for password data so that nothing ever gets paged to the swapfile.  This
would, however, require that Konq etc. run setuid root, which leads to
other problems.

Not storing password fields is a sensible middle ground.  Note that on a
properly written site, a compromise of your session cookie is in a
different class than a compromise of your password: one allows an attacker
to hijack your current session, the other allows the attacker to login as
you in the future and probably do arbitrary other things.

> If you still think the users like this (and talk to any windows user
> will prove otherwise) please tell me where I can change this behavior on
> my system :)

Speaking as a user, not a developer, a feature that makes life marginally
more convenient for users (how long, really, does it take you to retype
your password?  1 second?), yet leads to a significant loss in security,
is not worth the cost/benefit tradeoff to me.

~k