[4.0.0.013] Tomcat pwd during install is clear-text

[Adam Cameron]

G'day
I'm just reinstalling the Tomcat version of Railo to do some investigation about what all the fuss is about with the installer, and noticed that the 4.0.0.013 still suffers form something I spotted in the 3.x installer... the password one enters for Tomcat is displayed on the screen.  it should be a password field.

As this is with the installer and not with Railo itself (as I have learned today, you guys consider these separate things), I'm not sure if I should raise a bug on the usual bug tracker or what..?

Cheers.

--
Adam

[Matt Quackenbush]

Curious: Why should it be a password field? It's obviously not intended for anyone's eyes but the admin doing the installation.

[Adam Cameron]

Because it looks half-baked and amateurish, Matt.

This is not intended as an indictment of the bods doing the installer (it's easy to overlook stuff, and there's a difference between something overlooked looking half-baked, and it being half-baked, which I do not think the Railo installer), it's just the most accurate response to Matt's somewhat obtuse question.

Cheers.

--
Adam

[Mark Drew]

I had a similar discussion about a different password field. 

What it comes down to is that if you are putting in a password, that you are going to then use somewhere else (first installer then in web app) you should be able to see it. Otherwise you need to add TWO fields, so that you can confirm that what you typed (and cannot see) is the correct thing. 

Now, since this should be an admin anyway, on an admin account doing system administration, I think its ok maybe? But it can be argued both ways. 

Mark Drew
 
Railo Technologies Professional Open Source
skype: mark_railo ma...@getrailo.com
+44 7971 852296 http://www.getrailo.com

[Matt Quackenbush]

Ahh. Right. Of course. Adam Cameron says it is so, so it is so. I momentarily forgot who the author of the post was. Of course it's my fault that I ask an obvious question. How dare I?

[Mark Drew]

Because it looks half-baked and amateurish, Matt.

Be polite and non confrontational please :) 

This is not intended as an indictment of the bods doing the installer (it's easy to overlook stuff, and there's a difference between something overlooked looking half-baked, and it being half-baked, which I do not think the Railo installer), it's just the most accurate response to Matt's somewhat obtuse question.

See my previous post, it was something that we have done on purpose in the Railo Administrator for example. If you go to the Server Administrator -> Security -> Password and you see the field:

Set default password

Set the default password for all web administrators
Password	The new password for the administrator

You can see that that is NOT a password field and we thought about it and discussed why at the time. Since you need to SEE it to make sure you know what it is. 

Regards

Mark Drew

Cheers.

--
Adam

On Wednesday, October 24, 2012 6:01:38 PM UTC+1, QuackFuzed wrote:

Curious: Why should it be a password field? It's obviously not intended for anyone's eyes but the admin doing the installation.

On Wed, Oct 24, 2012 at 11:57 AM, Adam Cameron <adamcamero...@gmail.com> wrote:

G'day
I'm just reinstalling the Tomcat version of Railo to do some investigation about what all the fuss is about with the installer, and noticed that the 4.0.0.013 still suffers form something I spotted in the 3.x installer... the password one enters for Tomcat is displayed on the screen.  it should be a password field.

As this is with the installer and not with Railo itself (as I have learned today, you guys consider these separate things), I'm not sure if I should raise a bug on the usual bug tracker or what..?

Cheers.

--
Adam

[Matt Quackenbush]

On Wed, Oct 24, 2012 at 12:10 PM, Mark Drew <ma...@getrailo.com> wrote:

Because it looks half-baked and amateurish, Matt.

Be polite and non confrontational please :) 

Consider the source. I clearly failed to do so. My apologies.

[Adam Cameron]

I dunno Mark.  I just cringe every time I see a password in plain text.  I also have a sense of dread in these situations that if they overlooked security in this regard... where else are they being lax?  And it just diminishes my confidence in the product.  I don't mean Railo when I say that, I just mean in the rare situation when this happens... not that I can actually remember the last time I saw something like this, TBH.  There's a point in itself: there's a "fairly strong" precedent in almost the entire rest of the industry to keep passwords non-viewable at all times. Do you not think there's a sound basis for this?

Quite simply it's a vector for a security breach.  I work in a busy office where people who do secure work sit next to people who don't.  What if my colleague the sysadmin is setting up a new [thing], starts keying in their secure admin password (typing at 50wpm), simply not expecting the password to be in plain text.  There's the password for all to see.  And someone happens to be walking past and see it.  Or even part of it.

I come from a network security background (albeit many years ago), and if I was to be evaluating Railo for use in an environment where security is taken seriously, I would fail it on the basis of this.  These days I'm just a developer, so I don't really give a shit when it's just on my own machine, to be honest.

taking a different tack: let's turn the question around.  Other than just for the sake of trying to justify why something should stay the way it is, why would you have a pwd field in plain text?  And a second question, if you were creating that form now, what sort of field would you make it?

-- 

Adam

[Adam Cameron]

On Wednesday, October 24, 2012 6:10:54 PM UTC+1, Mark Drew wrote:

Because it looks half-baked and amateurish, Matt.

Be polite and non confrontational please :) 

As per the sentence right after that, I qualified that there's s difference between looking amateurish and the people doing the work being amateurish.  I just assumed it was an oversight.  And everyone commits oversights.

If anything, suggesting Matt was being obtuse was the confrontational bit.  Or just being accurate. I dunno if it can be both at once.  Probably yes.
 

See my previous post, it was something that we have done on purpose in the Railo Administrator for example. If you go to the Server Administrator -> Security -> Password and you see the field:

Yeah, I just saw the Jira ticket referring to that.  To my horror.
 
I added a suggestion to it.

https://issues.jboss.org/browse/RAILO-1371#comment-12728953

Your approach here is way wrong, sorry.  IMO, obviously, in case anyone thinks I'm pronouncing the truth rather than just expressing my opinion (which I try to back up, generally).

Cheers.

--
Adam

[Jordan Michaels]

Guys,

This has already been addressed in the latest BETA3.

Grab a copy here and late me know what you think:
http://railo.viviotech.net/

It hasn't been moved to the Railo server yet because there are several
changes to it, and I haven't finished documenting it yet. New features:

1) Tomcat/railo admin password field is stared out by default now. New
confirm field has been added to ensure password accuracy.
2) All tomcat ports are now configurable during install (shutdown and
AJP port were not configurable previously)
3) Windows installer now supports Windows 2012 and Windows 8 (thanks to
Bilal)
4) mod_jk has been replaced with mod_proxy as per the recommendation of
Tomcat developers and the increasing difficulty of getting binaries of
mod_jk for various platforms.

Please help me test BETA3 and let me know what you think!


Warm Regards,
Jordan Michaels

On 10/24/2012 10:18 AM, Adam Cameron wrote:
> I dunno Mark. I just /cringe/ every time I see a password in plain

> <mailto:ma...@getrailo.com>> wrote:
>
> I had a similar discussion about a different password field.
>
> What it comes down to is that if you are putting in a password, that
> you are going to then use somewhere else (first installer then in
> web app) you should be able to see it. Otherwise you need to add TWO
> fields, so that you can confirm that what you typed (and cannot see)
> is the correct thing.
>
> Now, since this should be an admin anyway, on an admin account doing
> system administration, I think its ok maybe? But it can be argued
> both ways.
>
> Mark Drew
>
> Railo TechnologiesProfessional Open Source

> skype: mark_ra...@getrailo.com <mailto:ma...@getrailo.com>
> +44 7971 852296http://www.getrailo.com

>
> On 24 Oct 2012, at 18:01, Matt Quackenbush <quack...@gmail.com

> <mailto:quack...@gmail.com>> wrote:
>
>> Curious: Why should it be a password field? It's obviously not
>> intended for anyone's eyes but the admin doing the installation.
>>
>> On Wed, Oct 24, 2012 at 11:57 AM, Adam Cameron
>> <adamcamero...@gmail.com

[Matt Quackenbush]

On Wed, Oct 24, 2012 at 12:22 PM, Adam Cameron <adamcamero...@gmail.com> wrote:

On Wednesday, October 24, 2012 6:10:54 PM UTC+1, Mark Drew wrote:

Because it looks half-baked and amateurish, Matt.

Be polite and non confrontational please :) 

As per the sentence right after that, I qualified that there's s difference between looking amateurish and the people doing the work being amateurish.  I just assumed it was an oversight.  And everyone commits oversights.

If anything, suggesting Matt was being obtuse was the confrontational bit.  Or just being accurate. I dunno if it can be both at once.  Probably yes.

How the hell is asking an honest question - impossible to ascertain the basis of your opinion (which you *always* state as fact) without - being obtuse? 

 

[Adam Cameron]

Cool.  Will grab it now.

[Peter Boughton]

I've seen somewhere (I forget where) that has a standard masked password field, with an accompanying option saying "show me the password".

This has the benefit of being masked (preventing looking over shoulder) whilst also enabling the value to be retrieved when required.

Seems like this might be a sensible way to do it for the default password option in the server admin?

[Adam Cameron]

Yeah, Windows does that with a WLAN key, and cellphones often do this with password fields as you're typing them in.

That said, it should only be possible for values that originate from the current user typing into the field.  You definitely should not be pulling actual passwords back from [anywhere], and then give people the option to see them.  Indeed the password should never exist in clear text, it should be hashed, and the hash saved.

There should be no way to retrieve an already-entered password.  It should be possible to reset a password without knowing what the old password was, perhaps, but even that should be something that's very secure, and not accessible in the normal course of events.

--
Adam

[Adam Cameron]

On Wednesday, October 24, 2012 6:27:07 PM UTC+1, QuackFuzed wrote:

How the hell is asking an honest question - impossible to ascertain the basis of your opinion (which you *always* state as fact) without - being obtuse? 

 
Sorry Matt: to me, someone questioning why a password field ought to not be in plain text is just obtuse.

I didn't think you were genuinely asking that question, I thought you were just engaging in some sort of err... rhetoric.  Not sure if that's the right word.  Anyway, I didn't think you were actually asking the question out of a desire to find out what the answer was, anyhow.

--
Adam

[Matt Quackenbush]

You obviously don't know me very well. I don't mince words. If my intention was to point something out, I would come right out and do it. Instead, I gave you the benefit of the doubt and in return you proved yourself to be exactly what the consensus impression of you is.

[Peter Boughton]

> Indeed the password should never exist in clear text, it should be hashed, and the hash saved.

That's missing a few steps - if all you do is hash a password
(especially with the default MD5 hash) then it can be brute-forced in
a matter of minutes (if not seconds).

For securely storing passwords, you want a key derivation function -
popular ones include bcrypt,pbkdf2,scrypt - which ensure brute-forcing
takes years/millennia (and can be progressively strengthened as
hardware speeds up).

> It should be possible to reset a password without knowing what the old password was, perhaps,
> but even that should be something that's very secure

Given that we're talking about the Server Admin here, resetting a Web
Admin password doesn't need to have any extra security - access to the
Server Admin is already secured?

Although I guess there's the whole issue of whether admin access is
required to go through HTTPS or not, otherwise passwords are of course
sent in plain text at login time, which isn't good.

[Denny]

On 10/24/12 11:37 AM, Adam Cameron wrote:
> Yeah, Windows does that with a WLAN key, and cellphones often do this with

> password fields *as you're typing them in*.

>
> That said, it should only be possible for values that originate from the

> current user typing into the field. You definitely should *not *be pulling

> actual passwords back from [anywhere], and then give people the option to
> see them. Indeed the password should never exist in clear text, it should
> be hashed, and the hash saved.

Great in theory, not really doable in "real life" when you're a "glue"
type of application framework.

> There should be no way to retrieve an already-entered password. It should
> be possible to reset a password without knowing what the old password was,
> perhaps, but even that should be something that's very secure, and not
> accessible in the normal course of events.
>

You're forgetting that we are middle men to some extent, with databases,
APIs, etc. so on and so forth. We store things encrypted, and security
is an onion, etc., and if you have concerns -- now this is freaking
awesome -- you can audit the code yourself! Or even hire someone to
audit it! Yay open source! :) (seriously tho- this is *huge* if you
are all 'bout security)

In general I agree with you 100%. One-way is best.

And look how freaking awesome Jordan is-- this particular issue was
already addressed! I remember him saying "I want to address this" with
a prior release... and then he did! Yay Jordan! I just wish he
wouldn't go all Hulk stylez on folks all the time. ;)

:Denny

--
Railo Technologies: getrailo.com Professional Open Source
Skype: valliantster (505)510.1336 de...@getrailo.com
GnuPG-FP: DDEB 16E1 EF43 DCFD 0AEE 5CD0 964B B7B0 1C22 CB62

[Mark Drew]

The easy solution is to make your default password "********" and you are done :D

Mark Drew
 
Railo Technologies Professional Open Source
skype: mark_railo ma...@getrailo.com

+44 7971 852296 http://www.getrailo.com

[Adam Cameron]

On Wednesday, October 24, 2012 6:58:48 PM UTC+1, QuackFuzed wrote:

You obviously don't know me very well. I don't mince words. If my intention was to point something out, I would come right out and do it. Instead, I gave you the benefit of the doubt and in return you proved yourself to be exactly what the consensus impression of you is.

Hmmm.  My irony alarm just went off a bit there.

Matt - I don't meant his to be patronising at all, but I fear it will sound that way (so sorry) - but all I did was to say I thought you were being obtuse.  You know that's not a swear word or in any way "abuse", yeah?  And I said that because I thought you were.  I did explain this earlier.

I think if you were to review who of the two of us have been saying what on this thread, you might find you've been dishing out a lot more than you have been receiving.

Anyway, no worries.  I'm a big boy and it's nae bother.  Just an observation.

(Sincerely) sorry if I helped you twist you panties a bit there.

Cheers.

--
Adam

[Adam Cameron]

On Wednesday, October 24, 2012 6:59:57 PM UTC+1, Peter Boughton wrote:

> Indeed the password should never exist in clear text, it should be hashed, and the hash saved.

That's missing a few steps - if all you do is hash a password
(especially with the default MD5 hash) then it can be brute-forced in
a matter of minutes (if not seconds).

Yep, sure.  I was not intending my comment to be the exact instructions of how it should be done.  I think what I was driving at was to store them in a non-reversable format.

Agree with everything else you say.  Cheers for the clarification of the hashing thing.

--
Adam

[Adam Cameron]

On Wednesday, October 24, 2012 7:25:40 PM UTC+1, Mark Drew wrote:

The easy solution is to make your default password "********" and you are done :D

HOW'D YOU GUESS MY PASSWORD??

Seriously, I'm actually all for not even having passwords in these situations.  As someone said... the thing should already be secured anyhow.  I don't have passwords on stuff in CFAdmin, instead relying on the rather more robust security the box it's running on and the firewall.

Indeed I voted on a ticket to reduce the enforced password length in Railo just before sitting down to start this thread.

All I think is that if passwords are involved, they should be treated with appropriate "care".

Cheers.

--
Adam

[Adam Cameron]

Denny: nothing to add other than everything you say makes good sense.

--
Adam