Idea ID: 2786923

Complex password copy and paste in CG 5.2

Status : Waiting for Votes
Waiting for Votes
See status update history
In Change Guardian 5.2, the ability to copy passwords was removed. However this also affects the ability to copy complex passwords when creating new local users. I have the need for a local CG account that will hopefully allow the ability to deploy the CG agent via an SCCM-type tool. However, it will be difficult to create a long/complex password if I have to manually type something like "KrV(QW#pg2hb8Nq" into Change Guardian. I/other users of your product are likely to use a less complex password, thus making the product LESS secure IE this will be an unintended consequence of this change in 5.2

Tags:

Labels:

Other
  • Agree, seem like they are implementing old, outdated security ideas that have been proven to decrease the security of a system

  • Disallowing pasting of password is in conflict with NIST Digital Identity Guidelines:

    https://pages.nist.gov/800-63-3/sp800-63b.html 5.1.1.2 Memorized Secret Verifiers

    Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

    In order to assist the claimant in successfully entering a memorized secret, the verifier SHOULD offer an option to display the secret — rather than a series of dots or asterisks — until it is entered. This allows the claimant to verify their entry if they are in a location where their screen is unlikely to be observed. The verifier MAY also permit the user’s device to display individual entered characters for a short time after each character is typed to verify correct entry. This is particularly applicable on mobile devices.

    Norbert