Free Web Hosting Provider - Web Hosting - E-commerce - High Speed Internet - Free Web Page
Search the Web

Lotus Notes Sucks: Example 1

[Lotus Notes Sucks: Example 1]

The Logon Window

Problem

When I start Lotus Notes, I must enter my password in this window:

Logon Dialog Box
(This is an animated GIF; be sure your browser is displaying the animation so you can be irritated by it)

Analysis

This dialog box contains several security "features":

Is any of this nonsense really necessary? If I want to learn someone's password as he or she types it, I will look at the keyboard, not the screen!

It's an email application, not a utility that allows you to delete every file on your network servers.

Update for Version 6.5.2

Logon Dialog Box, version 6.5.2

The dialog box looks different, but underlying stupidity of "distracting" hierglyphics remains.

Feedback from Users

I received this the other day explaining that the hierglyphics serve a different purpose.

... you are ranting about the hieroglyphics on the logon window. Your suggestion that they are there to distract observers is kind of ridiculous and certainly reduces your credibility among people who know the real answer. It's actually a rather clever feedback system to help you know if you've typed your password correctly before pressing ENTER. The hieroglyphics (in R5) or keyring (in R6) use a fairly sophisticated algorithm to respond to your password without actually exposing any of the characters. If you type your password correctly, you'll always wind up in the same state with the same figure, a yellow key on the left side in my case. However the transitions are not directly related to the characters typed and are also related to the user name, so even with a film of the changes it would be very hard to get a password from it. Okay, so it really doesn't matter for most people these days, but a few years ago for people with a slow network it was usually much faster to backspace and correct the password than to wait for the server to tell you you'd messed it up.
I basically agree that the fudging of password length is kind of useless, and obviously useless if an observer can see your fingers—but nothing helps in that case. I guess they are concerned about over-the-shoulder snoops, who can usually see the screen more easily han the hands. In those cases the number of characters is an important aid for dictionary attacks. However, you're so hyperbolic there I was expecting you to attack the idea of hiding the password on any display--except that is a "distracting" feature of almost every program that uses passwords.

First, I want to thank the user for taking the time to write.

In my defense, I will say that my rant on the hierglyphics is based on what we were told during our "training" to use the product. If I am wrong, then the instructors are wrong. As for the "clever feedback system," it is not clever when it is not at all obvious what it is and I can't find documentation about it in Lotus Notes help.

More from Other Users

From Black_Adder, 22 Dec 2005:

The primary purpose of the icons is to defeat trojan horse progams that steal passwords! The Lotus Notes logon dialog is far more secure than other logon dialogs.

When you have typed your password correctly, the same graphic will always display, thus defeating any trojan horse that attempts to mimic the Lotus Notes logon.

Here is an extract from (http://www.redbooks.ibm.com/abstracts/sg245341.html?Open) 'Lotus Notes and Domino R5.0 Security Infrastructure Revealed', which has been available in the public domain since May 1999.

Anti-Spoofing Password Dialog Box To defeat dictionary or brute force attacks on ID file passwords and to reduce the risk of password capture, Notes employs an anti-spoofing password dialog box. If users enter an incorrect password, Notes waits for several seconds before allowing them to try again. This delay increases with each incorrect attempt to a maximum of thirty seconds. The delay feature makes it difficult to try rapidly many passwords in succession in the hope of guessing the right combination. Also, the dialog box has a series of hieroglyphic symbols on the left side that change as users enter their password. The figure below shows the password dialog box with the hieroglyphic symbols on the left side.

These dynamic symbols make it more difficult to substitute a false dialog box that captures passwords in place of the Notes dialog box. Tell users to be alert to the symbols as they enter their passwords - if they notice that the symbols do not change or are not present, they should stop entering their password and click Cancel.

And there's this from Jamie:

There's another practical purpose behind the password prompt hieroglyphics. They exist so that you know that the password prompt is really coming from Notes, and not a spoofed dialog box that someone placed into an application to steal your password. I can programmatically add a few lines of code into an application or even your mail file to prompt you with a dialogbox that looks like the password box, and then that code can email me your password and user id file. However, I can NOT create such a box that will have animated hieroglyphics. So if you see a box asking for your password but without the hieroglyphics, you have reason to be suspicious.

The problem with the logon window is that it is not explained anywhere what the purpose of any of this is. It may be difficult to spoof the logon window, but not impossible. There's nothing about it (that I can find) in the Help system. So what good is any of it? Since the logon window is so different from any other application, shouldn't a short explanation with a link to more information be a good idea. I know that when latest version of Internet Explorer tries to download an ActiveX component, it warns you about the negative consequences of downloading from untrusted sources, etc. Lotus Notes does none of that.

User Interface Guideline Violations

Conclusion

Lotus Notes sucks.