Re: Please give pgAdmin 4 its own GUI. The constant password inputs are driving me insane...

Avin,

There's a lengthy explanation about the vulnerabilies around the Master
Password, solution, if you can't find it on the list, please let me know.

In a nutshell, a malware downloaded into a machine (or a malicious browser
extension) could search for pgAdmin passwords and steal them.

Many people use pgAdmin on their personal laptops, specially on startups
and people with remote jobs, junior developers with DB access and not
security aware and etc.

Best wishes,

Michel.

PS: I am not a developer for the project, but I am the one who reported
this issue.

On Thu, Jul 25, 2019, 10:44 Avin Kavish <avinkavish(at)gmail(dot)com> wrote:

> Guys I think we should take a breather on both sides, all I did was ask
> for clarification on why it was implemented. While I appreciate it, there's
> no need to sympathise with me, I don't have any feelings regarding it. Only
> that me as personal user does not need it. The original somewhat
> confrontational/ranty email was by someone else. Maybe replying to that was
> a bad idea since it may have set up the tone for the rest of the
> conversation.
>
> I think corporate security needs to be prioritised over the slight
> inconvenience presented to personal users. I think it is okay to be enabled
> by default. Perhaps maybe a more convenient menu option to turn it off
> would be nice, (but I am not asking for it maybe I'll get around to it when
> I have the time.)
>
> Peace ✌
>
> On Thu, Jul 25, 2019 at 6:56 PM richard coleman <
> rcoleman(dot)ascentgl(at)gmail(dot)com> wrote:
>
>> Dave,
>>
>> There is no attack of any kind in that post. I am sympathizing with
>> Avin. While I agree that there are use cases where a *master password* feature
>> makes sense, I disagree that it is the *majority* of cases, or even
>> applicable to the *majority* of users. Therefore I believe that it is
>> *implemented* poorly. If history is any guide there will be plenty more
>> users stumbling across this list frustrated and just wanting to know how to
>> 'get rid of' or simply 'turn it off'.
>>
>> So where I wrote sympathy and solutions, you choose to see attacks. I
>> think that says more about you than about myself.
>>
>> If the pgAdmin developers want *nothing* but praise and the occasional
>> sterile bug report they should probably stop reading, or shut down this
>> list. After all, a link to the redmine bug report page
>> <https://redmine.postgresql.org> would suffice for the latter.
>>
>> Whether writing commercial or open source software, paid or volunteer,
>> some people are *not* going to agree with your choices or decisions
>> (just as Linus). As long as we are criticizing the software and not the
>> people writing it, the software and all of us, end up better for it.
>>
>> I hope you take the time to think about what I've written,
>>
>> rik.
>>
>>
>>
>>
>> On Thu, Jul 25, 2019 at 8:49 AM Dave Page <dpage(at)pgadmin(dot)org> wrote:
>>
>>> Richard,
>>>
>>> On Thu, Jul 25, 2019 at 1:08 PM richard coleman <
>>> rcoleman(dot)ascentgl(at)gmail(dot)com> wrote:
>>>
>>>> Avin,
>>>>
>>>> I agree, the master password *nonsense* was poorly implemented. I too
>>>> wish the developers would rethink it. Until then there is a way to disable
>>>> it by setting an option in a config file. I can provide more details if
>>>> you would like (or you could look for other more expansive posts by myself
>>>> on this topic in the list archives).
>>>>
>>>
>>> You've made your feelings known many times now, and we're all well aware
>>> of them - just as you are aware that there are legitimate security concerns
>>> that caused it to be implemented (that were raised by end users), ones that
>>> arguably warrant a medium level CVSS vulnerability score
>>> (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N), and other concerns such as
>>> allowing a network administrator to enforce security policy that led to the
>>> design.
>>>
>>> Please refrain from any further remarks that disparage the work of
>>> people who - in many cases, voluntarily - spend hundreds or thousands of
>>> hours of their time developing software that you get to use freely.
>>> Constructive feedback and better yet ideas or code are welcome always, but
>>> repeated negativity that is borderline ad hominem is not.
>>>
>>> --
>>> Dave Page
>>> Blog: http://pgsnake.blogspot.com
>>> Twitter: @pgsnake
>>>
>>>