On Monday 27 October 2008 13:09, Lisandro Damián Nicanor Pérez Meyer <[EMAIL PROTECTED]> wrote: > > I believe that rejecting a pasted password encourages users to use > > shorter passwords and therefore decreases security. > > Rejecting passwords means that a password should not be put in the > clipboard nor any intermediate memory. That's why pasting is disabled. I > think this bug should be closed, but I leave it to another more experienced > person.
Firstly let's entirely skip the "intermediate memory" issue. When you are running on an X system (kopete is an X application) and you don't have Security Enhanced X (which is not in Lenny and I will be struggling to get it in Lenny+1) or a similar MAC system then every single X client can read the keyboard. So whatever password you type in to kopete can be read by konqueror, kmail, or any of the other network-facing (and thus risky in terms of security) KDE applications. In terms of the clipboard, you can of course ssh to a remote machine as root and then paste a password into an xterm (or konsole) window. Such a password is probably going to be significantly more important than a Jabber password. You also can paste a password into a form on any web browser (I do it all the time with Konqueror). So in the case of using Google Applications for a Jabber server, I could paste my gmail.com password into a Gmail login window, but not paste the same password into kopete. Finally it's a bit silly to support non-SSL protocols (giving the password to anyone on the net between you and the server) while not supporting pasting passwords (where all programs that can access the clipboard have the same security level for X use). -- Russell Coker <[EMAIL PROTECTED]> http://etbe.coker.com.au/ My Blog http://etbe.coker.com.au/category/security/ My Security blog posts http://www.coker.com.au/selinux/play.html My Play Machine, root PW "SELINUX" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
