+1
Declined

Password character count

Wouter van der Post 8 years ago in Applications / i3 Pro updated by Aleksandr Romanov (CTO) 7 years ago 7

Hello,


In version 1.1.6 you've added a function to validate passwords (IR.ValidatePassword), thanks for that!

In our passcode visualization we have circles to show the keys pressed, this works exactly like on an iPhone. 

Image 19937


Can you add a function to get the password character count? I can use that to build the screen layout.


Sample

var passwordLength = IR.GetPasswordCount(pwd_number);

If in the project settings the password is not specified, the method will return -1;

Alexander,


Please can you answer this question?


Wouter is waiting for it.


Thanks


Theo

Declined

Hello,

we discus it with Wouter on ISE.

It's not a good solution to suggest the length of the password to the user. Because prompting the length of the password we simplify the task of password selection by an attacker.


We not have any plans to implement this features.

Hello Aleksandr,


Yes, we discussed it but at that time you didn't tell me that you were not going to implement this feature.


On an Apple device you also see the length of the password (using the same interface as I've built), and I don't think a company like Apple would implement something like that if it was a security issue...

Besides, we're talking about a touchscreen interface, not a banking application ;)

If you compare with Apple, then:
1. Apple does not give applications the ability to know how many characters in the password  ;)
2. Security is achieved by blocking after several attempts.


I think that the smart home application is more dangerous than the banking one - because unauthorized management of the house is not only a matter of privacy of information, but also a real threat to life.

1. I'm talking about the lockscreen, not an app.

2. This feature can be build as well, call the new ValidatePassword several times with an incorrect password and let i3 wait for x-time (increasing after each failed attempt)


But I'll just keep my own JS to handle/serve the password UI instead of using the ValidatePassword function + i3 Pro built-in password management, this way the password is in plain text inside the JavaScript... much nicer solution right?

Of course not, I agree that it's better to use internal application methods. But understand that, in addition to you, no one asked about this possibility. This is a matter of priorities and if only one person asks for a new  opportunity, and in the past six months no one has addressed such a request, any doubt of expediency (and a security issue is a good "doubt") lead to the cancellation of the task.

EDIT: I misunderstand the topic


code below is just password length of what user input


#####################################


I solve it this way:

var GUI_PG_PASS = IR.GetPopup("pop_Security"); //password page
//clear button
IR.AddListener(IR.EVENT_ITEM_PRESS,GUI_PG_PASS.GetItem("passClear"),function()
{
      IR.SetVariable("Global.tmp_password", "" );
      IR.SetVariable("Global.tmp_access_level",0);
});
//number button 1
IR.AddListener(IR.EVENT_ITEM_PRESS,GUI_PG_PASS.GetItem("pass1"),function()
{
        IR.SetVariable("Global.tmp_password", String(IR.GetVariable("Global.tmp_password"))+"1" );
});
// same as this for number 2-9
function onPasswordChange()
{
     var thisVal = IR.GetVariable("Global.tmp_password");
     var passLen = thisVal.length;  //  character count using standard Java script
     //IR.GetPopup("pop_Security").GetItem("pass_led1");
     var GUI_PASS_LED1 = IR.GetPopup("pop_Security").GetItem("pass_led1");
     var GUI_PASS_LED2 = IR.GetPopup("pop_Security").GetItem("pass_led2");
     var GUI_PASS_LED3 = IR.GetPopup("pop_Security").GetItem("pass_led3");
     var GUI_PASS_LED4 = IR.GetPopup("pop_Security").GetItem("pass_led4");
     
     IR.Log("passLen!"+passLen);
     if(passLen>=4)
     {
        GUI_PASS_LED1.Value = 1;
        GUI_PASS_LED2.Value = 1;
        GUI_PASS_LED3.Value = 1;
        GUI_PASS_LED4.Value = 1;
     }
     else if(passLen==3)
     {
         GUI_PASS_LED1.Value = 1;
         GUI_PASS_LED2.Value = 1;
         GUI_PASS_LED3.Value = 1;
         GUI_PASS_LED4.Value = 0;
     }
     else if(passLen==2)
     {
         GUI_PASS_LED1.Value = 1;
         GUI_PASS_LED2.Value = 1;
         GUI_PASS_LED3.Value = 0;
         GUI_PASS_LED4.Value = 0;
     }
     else if(passLen==1)
     {
         GUI_PASS_LED1.Value = 1;
         GUI_PASS_LED2.Value = 0;
         GUI_PASS_LED3.Value = 0;
         GUI_PASS_LED4.Value = 0;
     }
     else
     {
         GUI_PASS_LED1.Value = 0;
         GUI_PASS_LED2.Value = 0;
         GUI_PASS_LED3.Value = 0;
         GUI_PASS_LED4.Value = 0;
     }
     
    
      if (IR.ValidatePassword(4, thisVal)) {
          IR.Log("Access confirmed 4!");
          IR.SetVariable("Global.tmp_access_level",4);
          
      } else if (IR.ValidatePassword(3, thisVal)) {    
          IR.Log("Access confirmed 3!");
          IR.SetVariable("Global.tmp_access_level",3);
          
      } else if (IR.ValidatePassword(2, thisVal)) {    
          IR.Log("Access confirmed 2!");
          IR.SetVariable("Global.tmp_access_level",2);
          
      } else if (IR.ValidatePassword(1, thisVal)) {    
          IR.Log("Access confirmed 1!");
          IR.SetVariable("Global.tmp_access_level",1);
          
      } else {
          IR.Log("Access denied!");
      }
      
      if(passLen >= PASS_MAX_LEN)
      {
         IR.SetVariable("Global.tmp_password", "" );
      }
     
}