TextEditor password issue


#1

I might be overly picky here, but when you enable password character changing in TextEditor, the “space” character are not modified (and, worst, the text glyph layout is kept)
So, if you enter “im im” in the password box, you’ll end up with , instead of 5 .
One can probably use this information to actually brute force the password, since the glyph layout itself is almost unique to the initial encoded character.
This happens when you use “textEditor->setText(“actualPassword”)”, but doesn’t happen when the box is initially empty.


#2

The glyph layout isn’t preserved! I just checked to make sure and it seems fine to me (?)

…but you are being pretty paranoid anyway. If an attacker has enough privileges to screen-scrape an app, then it’d be very much easier and more effective for them to just run a key-logger, or scan the user’s files for valuable info.


#3

In the Juce demo, in the widget page, locate and change the code to read:

    textEditor1->setText ("single-line text box with very long (text used to make it wrap in the given box, but it can be anything)");
    textEditor1->setPasswordCharacter((juce_wchar) 0x2022);

You’ll get a screenshot like this one:
[attachment=0]bugPW.jpg[/attachment]

BTW, you’re a bit too tech savvy here. You don’t need a screen scraper, but actually someone watching over your shoulder is enough, and it does come with no priviledge, sadly.
Anyway, even if I’m paranoid, you’re probably perfectionist and you’ll sort that bug out.


#4

Try it the other way round:

textEditor1->setPasswordCharacter((juce_wchar) 0x2022); textEditor1->setText ("single-line text box with very long (text used to make it wrap in the given box, but it can be anything)");

Yes, ok, setting the password character should make it lay its text out again. But I didn’t really expect anyone to suddenly turn their textbox into a password box when they’d already started using it.

(BTW if I was looking over someone’s shoulder to steal their password, I think my first choice would be to watch their fingers rather than the glyph widths!)


#5

Thanks for the trick.
I used the Jucer to build a dialog, and I’ve added the setPasswordChar stuff in the specific [section] that’s later in the constructor code.

If you were beside my back, you’d never be able to see my fingers since I move them faster than you can print in your mind. Anyway, I agree with you, it’s not the most convenient way to break a password.