Hiding passwords to applications

  • 7940118
  • 19-Aug-2009
  • 26-Apr-2012

Environment

SecureLogin
SecureLogin SSO
All Versions
MS AD, LDAP, NT4, Citrix, Terminal Services


Situation

Issue

Using SecureLogin, you can choose whether or not you want your users to be able to view their passwords to applications.

The customer doesn’t want users to be able to view their password to applications so they won’t know them and therefore can’t write them down or share them at all.

During testing, the SSO administrator set the option to hide the viewing of passwords on OU=Users using the MMC snapin. They verified the option to view passwords was not checked on the User object, which it wasn’t.

Although everything appears set to deny the user access to view their passwords, the user is still able to access the SecureLogin workstation tool (system tray icon) to view their passwords.

Resolution

Cause

When the SSO administrator defined the variables in the application definition, they used variables names that aren’t hidden by SecureLogin. For example, the password for e-mail was stored as $eMailPassword.

The settings to allow the viewing of passwords only affects variables that start with $Password. Any variable starting with $Password cannot be read by anyone other than the user, even by Administrators with Supervisor privileges on the network. They will also be entered as ****** whenever they are being saved or updated.

  • $PasswordeMail will be hidden and protected
  • $Password_Hotmail will be hidden and protected
  • $Password2 will be hidden and protected
  • $PasswordPIN will be hidden and protected
  • $PIN will NOT be hidden
  • $Pass will NOT be hidden
  • $2Password will NOT be hidden
  • $Hotmail_Password will NOT be hidden

In addition, all variables that don’t begin with $Password will display in clear text in the workstation tool and in management tools such as MMC and ConsoleOne. They can also be read by Administrators (and others you allow access to). For example, an Administrator could see the value of $Username is JCitizen but not the $Password value.

Solution

Variables were renamed to begin with $Password. The option to hide passwords now works as designed. All passwords are hidden and protected. No-one, not even administrators, can view the user’s passwords.