Potential Security Issue with Windows 7, the TIP, and Passwords?

GottaBeMobile.com reader Medic / Willem Evenhuis just posted a YouTube video (see below) demonstrating a possible security bug with Windows 7 and their password security setting in the TIP, which is supposed to keep the password from being displayed while it is being entered via the onscreen keyboard. It is clear from his video that the password he is entering is being shown on the keyboard while he uses the onscreen keyboard to type it out, and he says that the TIP security is at the highest setting. I’ve tested this on my end using several websites and the log on screen, and it functions as designed for me. Anyone else having this problem? I’m definitely not seeing it on my end, but it doesn’t mean a potentially serious security bug isn’t there.

If you are testing out Windows 7, leave us a comment and let us know your experience. In addition, be sure to report this bug if you are experiencing it, too. This issue is also being discussed in our forums.

Update:
Here is part 2 where Medic shows us that the security setting is indeed set to the Highest setting, and the password clearly being seen as the keys are pecked out on the onscreen keyboard. This is a huge issue, as the default security setting on the TIP is supposed to prevent this. In addition, as this is the only beta being shipped, it is critical that this get fixed before the Release Candidate is nailed down. If you are testing Windows 7, report as a bug….

Original video

Comments

  1. ericthebikeman says

    I’ve never seen this on Win 7. I have a HP 2710p and the install of Windows 7.7000 is bone stock.

  2. Jake says

    I just tested it and was able to reproduce the problem using Firefox. I’m running the beta on my 2730p.

    I’m got to say I’m really loving the new TIP.

  3. Vyk says

    Hm… interesting.
    I was also able to reproduce that problem.
    However, it only seems to happen with Firefox.
    I do have very little installed on my machine and most of what I’ve tested so far are all related to MS though.

    Tested Apps
    - Windows Log in
    - Internet Explorer
    - Onenote Encrypted Notebooks
    - Network Set up Password (WPA, WPA2 etc)
    - Live Mesh beta
    - WinRar compressing with password
    - Alzip compressing with password

    I’ll continue to test whatever I have installed.

  4. GoodThings2Life says

    Agreed, I can only duplicate this in Firefox, and let’s face it– Firefox has never been very TIP compliant.

  5. chad says

    That is an odd problem. Just as everyone else I cannot reproduce it on build 7000 on 2 different systems (1510D and X200T) and I tried it on a third VM with the On Screen Keyboard. Dunno where the settings are stored but I’m guessing it’s in the registry. If the reg keys are unavailable or cannot be accessed I wonder if the OSK defaults back to this security level. it may be a good try to delete the registy keys and toggle the settings to kick it into gear.

  6. chad says

    I should have said I cannot duplicate this with the logon screen, I do see this in FF but as GoodThings2Life said firefox has never had great integration with touch features.

Leave a Reply