Feature Request: encryption password

[YannickMetz]

Hello,
ive read that every feature request should have a seperate topic for discussing reasons.

So my request:
When you add encryption passwords in the password manager there really should be a confirmation field to type the encryption password again to validate if its correct.
Right now there is only one field to type the password. If you type it wrong and maybe dont find the mistake by clicking on the eye to see the password, you are lost. You cant find the password anywhere and dont know whats the mistake in it. You have to set it again and wont be able to restore those backups in different locations.

This is our case right now. We changed the encryption password for our local backups and somehow there must be a mistake in it we didnt see...we couldnt restore the backup in our cold standby.

Thanks,
Yannick

[HannesK]

Hello,
while I understand your concerns / request, I feel that this would make the UI unnecessarily complicated. If we do it at one point, we need to do that for all passwords.

I believe that most people do not type in such kind of passwords. They should be long and complex. So I expect nearly 100% copy & paste from a password safe.

In general, a lost password should not be a big deal. There is the "lost password" functionality of Enterprise Manager (and there is a warning if someone forgot to configure that).

Best regards,
Hannes

[Gostev]

Indeed, the reason why we don't require typing the password again for confirmation is that checking one with a little eye control is much simpler.

The thinking was that double entry is a waste of time in most cases:
1. Short password: mistakes are easy to spot with the eye control.
2. Long passwords: will be copy/pasted anyway, so having to do second paste is a waste of time.

So we decided not to complicate the experience for everyone over some corner cases.

Interestingly, this is the first such feedback after many years since encryption was added to the product, which also indirectly validates our chosen approach.

Thanks!

[YannickMetz]

In our cenario there is copy & paste restricted due to security reasons..so i have to type a 20 character password with all special characters. And i compared it to our password but still couldnt find the mistake i made.

We have the Enterprise Manager working but it will not help us in our cold standby because the backup server there is not connected to the Enterprise Manager. Or should it sill work?
Our cold standby is about 400km away from us and in our case i tried to recover the password by creating a request on the cold standby server and sending the request to our main location and my colleagues tried to validate it. But he got an error that said "validation failed". I think every server should be connected to the Enterprise Manager to get password recovery working right? This isnt possible in our case.

Thank you.

[Gostev]

Can you just type the password into Notepad then, twice or even three times if you want (if you use different lanes one above the other, any mistyping differences will be immediately visible), and if all passwords end up being the same - copy/paste into Veeam from there? As Veeam console certainly does not block copy/paste.

I actually do this Notepad workaround myself when I cannot logon into some legacy apps which don't provide password picker controls, and suspect mistyping

Correct, the server must be connected to the Enterprise Manager for this functionality to work.

[YannickMetz]

well i have to type it manually if there is no other option..

just for my understanding: if someone creates a password in the password manager it only hast to be typed there one time and can then be used in every job without typing it again. so isnt it faster just do add a validation field instead of typing it two or more times in notepad and copy it to the password manager? because you only have to type it in the creation of the password and not in any other job configuration.

[Gostev]

Not sure I understand what you're saying.

[soncscy]

I think Yannick is trying to say that it's more convenient to just have a validate field than to use the notepad workaround.

However, @YannickMetz, what possible reason/policy is there for not allowing copy/pasting of passwords from a password manager? Is this an internal policy or something being forced on your team?

https://pages.nist.gov/800-63-3/sp800-63b.html

NIST recommends focus on user accessibility not random security ideas here. From 10.2.1:

User experience during entry of the memorized secret.
Support copy and paste functionality in fields for entering memorized secrets, including passphrases

Such a restrictive policy is inherently anti-user and results in the password appearing in plaintext somewhere, as you're facing now. This is the opposite of security.