Securing the password page

This post is first in the series of engineering blogs where we would discuss technologies used behind device42. In this post, we would briefly discuss a new feature in upcoming release v3.1.3 for password page security for better centralized password management.

The Goal

The goal here was simple enough, if a user is on the password page and session is expired, the password should not be visible on the screen anymore. We introduced global inactivity timeout in v2.5 for better user control over when the session times out. Only issue is if a user click show password button and walks away, the screen would still show the password even after the session has timed out. Any click to browse any part of the page or web console, would take user to the login screen because session has expired.

The Solution

Inline with our mantra of keeping it simple, we are introducing a simple new feature. If a user is on the password page and there is no activity for 1 minute, the session would be automatically logged out. This works only on the password page(s), so if user is on list, view or edit password page and there is no mouse or keyboard activity for 1 minute, the logout happens.

Technology behind the scenes

Credit goes to Paul Irish for providing a simple and powerful jquery plugin called idletimer. The plugin does what it says, detects the idle time and takes action as defined. We thought about hiding the password after 20 seconds first and leave rest to global inactivity timeout, but finally decided on 1 minute automatic logout. We would love to hear your feedback on this.

A better way to share passwords between teams

So download your copy today for device42 for complete asset and inventory management where you can also share passwords between teams securely and optionally assign passwords to devices.