WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#5529 closed defect (bug) (wontfix)

Wordpress MySQL Setup should use a password field for the DB password

Reported by: csogilvie Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.5
Component: General Keywords: has-patch
Focuses: Cc:

Description

When setting up Wordpress, the password field for MySQL is shown as a plain text field. This should probably use the password field type, so that the text is not shown to people, in the same way the login screen does.

Attachments (2)

wordpress-setup-password.diff (439 bytes) - added by csogilvie 6 years ago.
Patch
db-password-autocomplete-off-REV6498.diff (459 bytes) - added by davidszp 6 years ago.
turns off autocomplete in recent browsers for DB password in setup screen

Download all attachments as: .zip

Change History (10)

csogilvie6 years ago

Patch

comment:1 csogilvie6 years ago

  • Keywords has-patch added

comment:2 Nazgul6 years ago

It has been discussed before in #3534.

It was closed as a wontfix back then.

comment:3 csogilvie6 years ago

Not sure I agree with the reasons for why it was won't fixed. It's also contrary to how many of the other applications that people use work, and is contrary to the experience that users expect (users expect passwords to be displayed as * whenever they are entering one).

It certainly caused me (and some of my colleagues) some concern when we were setting up Wordpress for something, and the password was displayed in plain text (and at a MUCH larger than normal font).

comment:4 follow-up: Viper007Bond6 years ago

-1. I prefer making sure I typed it in correctly.

comment:5 in reply to: ↑ 4 DD326 years ago

Replying to Viper007Bond:

-1. I prefer making sure I typed it in correctly.

Same here, I like to know i typed it correctly, However, If you type it incorrectly, The installer just comes up with a improper database connectivity issue.

I guess some people prefer others not to see the password, But, The database password should be of significant length, and compexity anyway.. You'd not use a personal password for something like that (I know you do on most shared hosts...)

comment:6 mwdmeyer6 years ago

+ 1

The installer should simply do a test connect to see if the password is correct (that is how I write all my installers with PHP/MySQL).

I think that showing the password is a bad idea.

davidszp6 years ago

turns off autocomplete in recent browsers for DB password in setup screen

comment:7 davidszp6 years ago

Instead of masking the password field, how about a compromise where recent browsers (see http://developer.mozilla.org/en/docs/How_to_Turn_Off_Form_Autocompletion) won't remember the value of the password field via autocomplete so as not to leave the password hanging around (as much) in the browser of the person that did the install, at least not in as accessible a format? I have attached a patch to the latest trunk that does this; it's a slight change to one line in setup-config.php.

comment:8 mrmist5 years ago

  • Milestone 2.9 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Looks like a wontfix to me.

Note: See TracTickets for help on using tickets.