Introduction
Recent versions of Clarion have disabled the ability
for a user to paste text into a Password field
[1].
While this may be advantageous in some circumstances, it greatly weakens
security in general by preventing the use of secure (ie long and random)
passwords generated by password managers. PassPaste is a small template
that allows users to paste text into password fields, using either Ctrl-V,
or Right-Mouse-Button / Paste.
All the proceeds collected from this template go to charity (over and
above our normal charitable contributions.) For a list of the charities we
regularly support see our
Social
Responsibility page. If you cannot afford this product please
contact us and we will arrange a free copy for you.
[1] This is likely not an overt action by
SoftVelocity. It is likely to be a side effect of the way a native Windows
entry field is being used.
Features
- Allows the user to Paste text into password fields, using Ctrl-V,
AppsKey, or the Right Mouse popup menu.
- Clears the clipboard after the text is pasted.
- Supports AnyText for popup menu translation. A simple embed point
provided for other translation systems.
- Supports Legacy and ABC applications, Clarion 8 and later.
Why is Pasting Prevented?
Having a password in the clipboard is not ideal
because the clipboard is available to any program on the computer, and is
plain text. Thus if your computer is compromised with some kind of
malware, then that program may be able to inspect the clipboard from time
to time and extract passwords from there (This argument ignores the issue
that malware can just as easily log keystrokes.) Equally if, after using
the clipboard, the password is left there then another user at your
keyboard can retrieve it simply by pasting into say Notepad (if you leave
your desk.)
Unfortunately the solution (preventing a Paste) does not fix the root
problem. The user has already copied the password into the clipboard, so
the damage (if there is any) has already been done. Indeed since the user
flow has been interrupted it's possible they may now forget to clear the
clipboard.
PassPaste works to resolve the problem by not only allowing the Paste, but
then immediately clearing the clipboard. Since you are pasting into
password field the program is uniquely able to determine that the
clipboard contains a password, and that this password is now no longer
required.
Programs that prevent pasting are making an attempt to educate users, by
not accepting the password they "teach" the user not to copy the password
into the clipboard in the first place. This approach might work if it was
universally adopted, but that is not the case
[2].
Since the consensus is that very long, random passwords are the only
protection against off-site brute-force attacks, the use of Password
Managers is by far the best solution to that vulnerability. Given the
choice between (ineffective) local clipboard protection and the risk of
short passwords being brute-forced, the accepted security practice is to
promote long, random, passwords and to allow Paste from the clipboard.
References
Troy Hunt - The "Cobra Effect" that is Disabling Paste on Password
Fields.
Wired Magazine - Websites, Please Stop Blocking
Password Managers. It’s 2015.
OWASP - Authentication Cheat Sheet.
[2] All modern browsers, including Chrome, Firefox,
Safari, IE and Edge allow pasting into password fields.
JumpStart
- Add the PassPaste Global Extension to the application.
- On a window with a Password field add the PassPaste local extension
to the window.
- Set the properties as you wish. See the Template
Reference for a list of properties and what they do.
Multi DLL
If you have a multi-dll system (ie multiple apps) then
you need to add this template to the DataDLL app.
In this app turn on both settings on the Multi-DLL tab.
Then add the Global extension to any other apps that contain password
fields. In these apps only the first checkbox on the Multi-DLL tab should
be on.
Then, in those apps, add the Local extension to any windows that contain a
password field.
Template Reference
Global PassPaste Template
General Tab
Disable All PassPaste Features
Turning this on disables PassPaste in this app. No PassPaste code will
be generated into any procedures.
Multi DLL Tab
This is part of a Multi-DLL program
If this app is part of a multi-app system, then tick this on. It
should be on in all apps in the system where this extension is added.
(Including EXE apps),
Export Class from this DLL
Tick this on only in the Data DLL. It should be off in the other DLL's
and EXE's.
Local PassPaste Template
Local Options Tab
Allow Ctrl-V
Tick this on to allow pasting via the Ctrl-V key.
Allow Right-Mouse
Tick this on to allow pasting via the Right-Mouse-Button, and AppsKey
on the keyboard.
Implementing in Handcode
Implementing PassPaste in hand-coded procedures is
very straightforward.
Adding the PassPaste class to your project
- Add project defines PassPasteDLLMode=>0
and PassPasteLinkMode=>1 to your
project.
- Add a global include;
include ('PassPaste.Inc'),Once
Adding a PassPaste object to your Procedure
- Instantiate an object in the procedure;
ThisPassPaste PassPaste
- Initialize the object after the window is opened;
ThisPassPaste.Init()
- Add an event handler inside your ACCEPT loop
ThisPassPaste.TakeEvent()
Class Reference
A single object is able to provide paste support for
any number of controls on the window. The main methods are
Init
and
TakeEvent. Assignment code must be embedded
into the derived
Paste method for the class to work.
This is usually done for you by the template.
Properties
The class has no properties.
Methods
Methods
AlertKeys
AlertKeys (Long
pField, Long pKeyboard, Long pMouse, Long pToggle)
Description
Called internally by the
CHECKFIELDS
method.
Alerts the Ctrl-V, and Right-mouse keys for the field.
Parameters
| Parameter |
Description |
| pField |
The field number of the field to alert. |
| pKeyboard |
If true then support for the Ctrl-V key is on |
| pMouse |
If true then support for the Mouse Right Button is on |
| pToggle |
If true, then support for Ctrl-P key is on. This toggles the
PASSWORD attribute on the field. |
Return Value
None
Example
ThisPaste.AlertKeys(?password,true,true,true)
See Also
CheckFields
Methods
CheckFields
CheckFields
(Long pKeyboard, Long pMouse, Long pToggle)
Description
Is called internally from the
INIT method. Loops
through all the fields on the window looking for
ENTRY
fields with the
PASSWORD attribute
on. for each of these calls the
ALERTKEYS
method.
Parameters
| Parameter |
Description |
| pKeyboard |
If true then support for the Ctrl-V key is on |
| pMouse |
If true then support for the Mouse Right Button is on |
| pToggle |
If true, then support for Ctrl-P key is on. This toggles the
PASSWORD attribute on the field. |
Return Value
None
Example
ThisPaste.CheckFields(true,true)
See Also
Init,
AlertKeys
Methods
Init
Init (Long
pKeyboard = true, Long pMouse=true, Long pToggle=false)
Description
Is called after the window opens. This methods looks for all
ENTRY
controls on the window with the
PASSWORD
attribute and adds PassPaste support to those controls.
Parameters
| Parameter |
Description |
| pKeyboard |
If true (the default) then support for the Ctrl-V key is on |
| pMouse |
If true (the default) then support for the Mouse Right
Button is on |
| pToggle |
If true, then support for Ctrl-P key is on. This toggles the
PASSWORD attribute on the field. |
Return Value
None
Example
ThisPaste.Init()
See Also
TakeEvent
Methods
Paste
Paste (Long
pField)
Description
Is called to paste the contents of the clipboard into the password
entry control. The method is also responsible for clearing the
clipboard.
Parameters
| Parameter |
Description |
| pField |
The Field Equate Number of the field to paste into. |
Return Value
None
Example
ThisPassPaste.Paste (?Password)
See Also
TakeEvent
Methods
TakeEvent
TakeEvent ()
Description
Is called inside the
ACCEPT loop. Checks
the
Event(),
Field(), and
Keycode(), to see
if the
PASTE method should be called.
Return Value
True is the event is recognized, and
handled.
False otherwise.
Example
ThisPaste.TakeEvent()
See Also
Init,
Paste
Methods
Toggle
Toggle (Long
pField)
Description
Toggles the state of the field's PASSWORD attribute. ie If the
attribute is off it turns it on, and vice versa.
Parameters
| Parameter |
Description |
| pField |
The Field Equate Number of the field to toggle. |
Return Value
None
Example
ThisPassPaste.Toggle(?Password)
See Also
TakeEvent
Methods
Trace
Trace (String
pStr)
Description
A debugging method used to send text to Debugview. Lines in debugview,
sent by this method, will be prefixed wit
[pp].
Parameters
| Parameter |
Description |
| pStr |
The string to send to DebugView |
Return Value
None
Example
ThisPassPaste.Trace('Hello World')
Methods
Translate
Translate
(String pText)
Description
Used to translate any English text used inside the class.
Currently used for the word "Paste" as used in the right-click popup
menu.
Parameters
| Parameter |
Description |
| pText |
The text to translate. |
Return Value
The translated text.
Example
ThisPassPaste.Translate PROCEDURE (String pStr)
ReturnValue any
Code
ReturnValue = SomeTranslationFunction(pStr)
Return ReturnValue
See Also
TakeEvent
Support
Your questions, comments and suggestions are welcome.
See our web page (
www.capesoft.com)
for new versions. You can also contact us in one of the following ways:
| CapeSoft Support |
| Email |
 |
| Telephone |
+27 87 828 0123 |
Installation
Distribution
There are no files to distribute.
License & Copyright
This template is copyright © 2021 by CapeSoft
Software. None of the included files may be distributed. Your programs
which use PassPaste can be distributed without any PassPaste royalties.
This product is provided as-is. Use it entirely at your own risk. Use of
this product implies your acceptance of this, along with the recognition
of the copyright stated above. In no way will CapeSoft Software, their
employees or affiliates be liable in any way for any damages or business
losses you may incur as a direct or indirect result of using this product
Version History
Version 1.12 (25 October 2021)
- Fix: INC file missing from build.
Version 1.11 (25 October 2021)
- Fix: TakeEvent handled keyboard and mouse events even if template
options were off.
Version 1.10 (9 July 2021)
- Add: Optional Ctrl-P support to the field. Ctrl-P toggles the
Password property, so the contents of the field become visible.
- Change: If a password field is visible (ie no password attribute)
then Ctrl-V and other pasting still works.
- Add: Toggle method.
Version 1.03 (24 May 2021)
Version 1.02 (16 July 2020)
- Add: Event:Accepted posted to
Password field when the value is pasted into the field.
Version 1.01 (18 Sept 2018)
- Add: Clarion 11 to install.
Version 1.0 (14 April 2017)
Download latest version
here
/>
