A site devoted to discussing techniques that promote quality and ethical practices in software development.

Wednesday, July 29, 2015

Caveat for Link Market Services Registry users using Password Manager

This is a note to any users of Link Market Services Share Registry service that use Password Manager to manage their password.

It seems Link Market Services discourages people using password manager, a practice that is recommended by security experts, and it expects the users to have some sort of psychic power to know why.

Recently, I have encountered an operation that requires me to supply the Transaction Password. Since I used a password manager to generate and record passwords, I simply asked the password manager to transfer the transaction password to the field in the Link Market Services web page. The transfer happened flawlessly but the confirm button remained disabled as if I had not type anything. That's strange. There was no textual guidance and no pop up message box to tell the user what to do.

Not deterred by this, I did some experiments and this is what you have to do if you want to use password manager:
1) Transfer the Transaction password to the field in the normal way your password manager offers.
2) Click on the field and press End key to force the cursor to be positioned to the end of your password. (Or enter a character to the end of the password and immediately removing it from the field)

The minute you have completed step 2, the confirm button is enabled! The web page at that stage does not have a clue if what you have entered a valid  transaction password.

It seems the web page has a user-interface bug failing to recognise the field change event.

This kind of bad user interface design makes your software sucks. If you do not want user to transfer data say via the clipboard, disable the paste operation and offer the users some form of guidance. If your web site does not have a general purpose help e-mail address, you need to make sure the user-interface of your web site to be perfect and idiot-proof.

On the subject of Transaction password, this is their mandated rule:

When you use the settings facility to change the Transaction password and if you use a password manager to generate the new password (highly recommended), after you have transferred the new password to the respective field, execute Step 2 mentioned above. Such action will trigger the script on that page to evaluate the supplied password. It seems the program has a bug similar to that mentioned above.

One wonders if the Link Market's mandated rule can encourage users to choose strong password. If Link Market discourages their users from using password manager, then the users will undoubtedly choose an easy to remember password (that will also ended up to be easily guessed by hacker).

For example the following passwords Pauline1, Password1 or Ab1234567 comply with the rule but according to Microsoft's password checker or Kaspersky's checker,  there are weak passwords. It is therefore better to encourage your users to use password manager rather than forcing them to choose easy to remember one.

No comments:

Blog Archive