Support

Akeeba Backup for Joomla!

#35474 Disable ANGIE Password Warning?

Posted in ‘Akeeba Backup for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Backup version
n/a

Latest post by on Wednesday, 04 August 2021 20:17 CDT

Oxgourd

Description of my issue:

I would like to disable the ANGIE password warning that appears every time I run a backup. I already know that I have set an ANGIE password. It is always set.

nicholas
Akeeba Staff
Manager

You cannot disable that warning. There's a good reason behind it.

This warning appears if there is ANGIE password set up either in the Configuration page or in the Backup Now page. The problem is that we cannot know if you intended for a password to be set. Many browsers and third party password managers will just see that there is a password field and automatically file it in with whichever password they feel is the right one. In many cases this is your Joomla administrator password.

After the umpteenth ticket we received asking us what is the ANGIE password and why do we password protect the restoration without telling anyone the password (well, we don't!) we added this warning. An option to remove that warning would take us back to the same problem as having no warning so we are definitely not going to implement a feature to remove this warning. You can ignore it. In fact, it tells you that it only applies if you didn't know that you had set an ANGIE password.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Oxgourd

Yes, I completely understand the reason why the warning is there. I have had the same problem with data fields being populated without my knowledge in other online forms, and it can cause calamity. However, for those of us who always use a password, it means that we we will become acclimated to ignoring warnings that are not valid for us. If the option to disable it was available, then each new warning that we see would have greater significance.

nicholas
Akeeba Staff
Manager

We have taken that into account as well. What we have implemented now and the way it is implemented is the least problematic solution to an issue caused by your browsers.

The technically correct solution we cannot implement is documenting that you need to disable password auto-filling in your browser. Your browser or password manager violates the Principle of Least Astonishment (POLA) and our documentation would tell you how to fix that. However, people wouldn't appreciate this for what I would hope is obvious reasons.

In fact, this is why this warning appears at the top of the Backup Now progress page and nowhere else. All other important warnings which can be detected reliably server-side appear in the Control Panel page and the top of the Backup Now setup page. They even have links which explain why they are there and how to solve them.

Again, as I said before, there is no way to divine the intent server-side. There is no real way to deal with it client-side either! Yes, we do have some JavaScript to reset the contents of the field after a small delay BUT some browsers add a variable delay of their own AND this doesn't work if it's auto-filled in the scant milliseconds between the page loading and the backup starting when you use the One Click Backup feature.

So, given that this is a browser issue we can't work around we are left with these options:

  • Make the ANGIE password field a text field so it's not auto-filled. The problem is that even though it's not a real password people get upset as evidenced by their reaction to the remote backup secret word not being a password field anymore for similar reasons. So, while that would solve the problem it is a no-go.
  • Remove the password field from the Backup Now page. This is problematic for the people who want to enter a password without having to go to the Configuration all the time.
  • Remove the One Click Backup feature (which is a far more commonly used feature than the ANGIE password) and prevent you from being able to click Backup Now for at least three seconds (which would violate POLA and confuse users).
  • Remove the ANGIE password (which causes obvious problems to people running NginX or IIS as their web server).
  • Warn users when there's an ANGIE password set. Very few people set it up intentionally and the warning might annoy them.
 So, the least problematic approach is the latter which is what we implemented.

Beyond that, we are adding a small bit of text in the next release of Akeeba Backup, right in the ANGIE password page, explaining how you can disable the password. This is something I implemented nearly a month ago. HOWEVER, we cannot remove the backup progress warning just because we added some text explaining the corrective measure. People neither tend to read text on the screen when confronted with an unexpected situation nor do they stop to think and/or read the documentation to understand that the password is something they (or their browser / password manager) applied and NOT something we arbitrarily enforced without telling them about it.

For every warning you see in our software there's been a deliberate, long process of assessing alternatives and the risks they carry, carefully imposing the warning message to be succinct, write documentation and carefully execute the implementation in a way that makes sense.

There are many more cases where you don't see a warning message because it's something we could detect and rectify server-side. You will only see a message when the solution requires your interaction either because it's caused by third party software (including Joomla configuration options) OR it needs you to make a decision. We of course understand messages fatigue and we do try to keep messages to a minimum.

Finally, this warning does have great significance. The overwhelming majority of people do NOT set up an ANGIE password. They are caught off-guard when their browser magically auto-fills a password field they didn't notice because they were not looking for it. In fact, they do not KNOW this happened. All they know is that they tried to restore their backup and they're locked out of it so Akeeba Ltd must be an evil company which holds their web site backups ransom. This is a major problem for us, obviously. So between hypocritically removing this feature, throwing our security conscious users under the bus, and adding a warning which might annoy some people like you we would go with the latter every time. I'm sorry you are annoyed by it but at the end of the day you're the only person in 7 or so years to be annoyed so from our perspective our decision seems to be the right one.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!