Replies: 18 comments 21 replies
-
This is intentional, protect your computer instead. If somebody gets physical access to your machine, nothing can help you. |
Beta Was this translation helpful? Give feedback.
-
What kind of answer is this. Of course I protect my computer. But you add layers of protection. |
Beta Was this translation helpful? Give feedback.
-
I have rephrased my request, perhaps that makes it more clear. |
Beta Was this translation helpful? Give feedback.
-
If it’s intentional then that is very poor security, I’d love to see an extra layer applied as the OP has suggested. It makes sense, particularly in this day and age of cyber warfare. |
Beta Was this translation helpful? Give feedback.
-
No, very poor security is leaving your computer accesible. There are number of apps that do this the same way, including web browsers. While this certainly can be done, I consider it to have very low priority. |
Beta Was this translation helpful? Give feedback.
-
I've not seen a browser that does this. |
Beta Was this translation helpful? Give feedback.
-
So the first layer of security fails, you think its acceptable for a lacklustre app to open you up to a plethora of other issues? I sense a severe lack of understanding of security fundamentals from the devs on this one... |
Beta Was this translation helpful? Give feedback.
-
@majkinetor This is different from the use case we previously discussed. OP suggested that a secondary authentication be required to display passwords, our previous discussion was about the startup password for the app and the need to enter the password again after being away for a period of time. I don't think the startup password for the app is very necessary, but a secondary confirmation for displaying passwords could be useful. I've had a few instances where I need let friend use my PC temporarily, and they can copy my remote system passwords directly form 1Remote if they want. appendHowever, after thinking for a while, I realized that having only a secondary verification for viewing passwords will still has a problem, as my friend could simply copy my database without guessing what the password is. So it is necessary to use the password to encrypt the database to ensure security. However, since we now support multiple databases and database sharing, there may be that two databases use different passwords, it will be a challenge for both system development and user experience. append2Even if the databases are encrypted, my friends could still copy my entire system environment to their PC. Then although they wouldn't be able to view the passwords, they would be able to connect to my remote system. (This is because the encrypted passwords need to be stored somewhere in the system, otherwise I would need to enter the password every time I opened 1Remote. Especially when I connect to multiple databases, I don't want to have to enter multiple passwords before I can use 1Remote.) |
Beta Was this translation helpful? Give feedback.
-
You are correct with the appends. You could add a startup pass. This will apply to all DB files. So if one would share it, it would need to know that password. Because it would ask when opened. |
Beta Was this translation helpful? Give feedback.
-
I sense you should use another program wtih "more" security :) There is very serious lack of understanding of security here for sure. FYI, keylogers are a thing! Please inform yourself better before accusing other people of lack of understanding. |
Beta Was this translation helpful? Give feedback.
-
Hey everyone, let's calm down, OK? It's true that password protection is a weak point for PRemoteM. suggestions are valid, but we also acknowledge that when someone has physical access to your PC desktop, any security measure may be fail. @majkinetor @beasthouse-au Both of you are just focusing on different security points, so there's no need to blame each other. There is also a personal taste for me. I'm too lazy to enter a password every time, so I tend to sacrifice some security for convenience (because I can almost ensure the security of my PC). That's why I haven't added startup password protection and have given this feature a low priority (to the extent that I can't find the previous discussion about the startup password now). |
Beta Was this translation helpful? Give feedback.
-
That's why I asked for it to be optional 😁 |
Beta Was this translation helpful? Give feedback.
-
Here it is: Also: #429 |
Beta Was this translation helpful? Give feedback.
-
That link seems a bit outdated and not really up to par in modern ages. I think adding Windows Hello is actually a viable option and shouldn't be that hard. |
Beta Was this translation helpful? Give feedback.
-
@bokkoman you need to provide argumentation for your claims, otherwise your stance will get ignored. Like I said, earlier, physical access to your computer makes any protection you have void because its trivial to circumvent it (unless you use strong encryption). There is even old adage if the bad guy gets physical access, the computer is no longer yours. What we have currently is password hiding via asterisk which is to prevent shoulder surfing. Like I already said, major tools dont do this, here is a screenshot from Firefox: Imagine what happens when I click the eye button. The same is true for Chrome. Its because they know password is useless. Now, If we imagine this will get done one day, for whatever invalid reason, I would personally not use any kind of solution that doesn't prompt with OS password. It could easily be tested with equivalent of this: $PlainPassword="your_password"
$tmp = New-TemporaryFile
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
$Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList $Env:USERNAME,$SecurePassword
Start-Process whoami -Credential $Credentials -RedirectStandardOutput $tmp
(Get-Content $tmp -ErroraAction ignore) -like "*\$Env:Username #true if password is OK
Remove-Item $tmp -ErrorAction ignore Its trivial to do and doesn't require from user to do anything apart from maybe enabling it in config. However, its invalid, because its trivial to cirmuvent by having access to the computer
So you have to be extremelly unmovated to not get ones passwords. It could stop little kids and babies though 🍼 Now, what could be done. We could save passwords in Windows Credential Manager instead of the database directly. This is how RDP actually does it nativelly. However, those are easily obtained once you have access to the OS - if you have access to username, its trivial, because you have an eye button again :) If you have another users, there are number of tools that lets you hijack OS. |
Beta Was this translation helpful? Give feedback.
-
If you click that, it will ask for your password. If it doesn't, you didn't setup Firefox properly. |
Beta Was this translation helpful? Give feedback.
-
Generally every password manager out there that exists offers two major functionalities here and follow basic opsec which is generally what appears to be requested by the community yet rejected by the devs for some unknown reason.
Regarding cloud based managers, not a single one of them store anything in plain text and for anyone to insinuate otherwise means said individual has no clue what they're talking about. For a pretty solid write-up, see 1Password's white paper of course given physical access security drops significantly, but it can be made so one effectively has to freeze and get information from RAM or via a keylogger. Which at that point if your system is that compromised, you're screwed anyway. Physical access to the db or software should never reasonably provide direct ease of access without some sort of additional (optional) protection as requested here in sum |
Beta Was this translation helpful? Give feedback.
-
Currently, everyone can see the passwords if my PC is still open.
They open the app, go to edit a connection and press the View password button.
This is very unsafe!
Describe the solution you'd like
Beta Was this translation helpful? Give feedback.
All reactions