#12522 closed defect (bug) (duplicate)
Don't show password in plaintext in installer confirmation page
Reported by: | caesarsgrunt | Owned by: | ryan |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | 3.0 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
Just noticed that after the user chooses a password, it is shown in plaintext on the next page (presumably a hangover from when it used to be generated and so had to be shown). This is a major security flaw. Just as password entry fields always use asteriscs or bullets rather than showing plaintext, so that people in the vicinity don't see the password being entered, the password should not be shown here in plaintext. The issue is, in fact, more severe than just a password entry field, since (a) the information is shown for longer and (b) the page could be cached under some circumstances, with potentially disastrous results.
Can anyone think of a reason to show the password here, or can we remove it?
Change History (2)
Note: See
TracTickets for help on using
tickets.
Duplicate of #12479 and the main task ticket, #10396.
Good to see you active again.