This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 249707

Summary: Password field leaks character type boundaries
Product: platform Reporter: tiz.io
Component: Dialogs&WizardsAssignee: Stanislav Aubrecht <saubrecht>
Status: NEW ---    
Severity: normal    
Priority: P4    
Version: 8.0.2   
Hardware: Macintosh   
OS: Mac OS X   
Issue Type: DEFECT Exception Reporter:

Description tiz.io 2015-01-09 00:26:03 UTC 
Product Version = NetBeans IDE 8.0.2 (Build 201411181905)
Operating System = Mac OS X version 10.10.1 running on x86_64
Java; VM; Vendor = 1.8.0_25
Runtime = Java HotSpot(TM) 64-Bit Server VM 25.25-b02

Double-click selecting the obscured characters in a password field stops highlighting at character type boundary, leaking information about the location of special characters in the password.

Repro:
1) Open any dialogue box that prompts for a password.
2) Type in the following password abcd#abcd
3) Double-click the first four dots of the obscured password.
4) Observe that only the first half of the password is selected.  Selection stops at the character-type boundary.

With this information, a password's strength is compromised by disclosing possible patterns that vastly reduce the problem space for a brute-force attack.