Make WordPress Core

Opened 17 years ago

Closed 16 years ago

#5529 closed defect (bug) (wontfix)

Wordpress MySQL Setup should use a password field for the DB password

Reported by: csogilvie's profile csogilvie Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.5
Component: General Keywords: has-patch
Focuses: Cc:

Description

When setting up Wordpress, the password field for MySQL is shown as a plain text field. This should probably use the password field type, so that the text is not shown to people, in the same way the login screen does.

Attachments (2)

wordpress-setup-password.diff (439 bytes) - added by csogilvie 17 years ago.
Patch
db-password-autocomplete-off-REV6498.diff (459 bytes) - added by davidszp 17 years ago.
turns off autocomplete in recent browsers for DB password in setup screen

Download all attachments as: .zip

Change History (10)

#1 @csogilvie
17 years ago

  • Keywords has-patch added

#2 @Nazgul
17 years ago

It has been discussed before in #3534.

It was closed as a wontfix back then.

#3 @csogilvie
17 years ago

Not sure I agree with the reasons for why it was won't fixed. It's also contrary to how many of the other applications that people use work, and is contrary to the experience that users expect (users expect passwords to be displayed as * whenever they are entering one).

It certainly caused me (and some of my colleagues) some concern when we were setting up Wordpress for something, and the password was displayed in plain text (and at a MUCH larger than normal font).

#4 follow-up: @Viper007Bond
17 years ago

-1. I prefer making sure I typed it in correctly.

#5 in reply to: ↑ 4 @DD32
17 years ago

Replying to Viper007Bond:

-1. I prefer making sure I typed it in correctly.

Same here, I like to know i typed it correctly, However, If you type it incorrectly, The installer just comes up with a improper database connectivity issue.

I guess some people prefer others not to see the password, But, The database password should be of significant length, and compexity anyway.. You'd not use a personal password for something like that (I know you do on most shared hosts...)

#6 @mwdmeyer
17 years ago

+ 1

The installer should simply do a test connect to see if the password is correct (that is how I write all my installers with PHP/MySQL).

I think that showing the password is a bad idea.

@davidszp
17 years ago

turns off autocomplete in recent browsers for DB password in setup screen

#7 @davidszp
17 years ago

Instead of masking the password field, how about a compromise where recent browsers (see http://developer.mozilla.org/en/docs/How_to_Turn_Off_Form_Autocompletion) won't remember the value of the password field via autocomplete so as not to leave the password hanging around (as much) in the browser of the person that did the install, at least not in as accessible a format? I have attached a patch to the latest trunk that does this; it's a slight change to one line in setup-config.php.

#8 @mrmist
16 years ago

  • Milestone 2.9 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Looks like a wontfix to me.

Note: See TracTickets for help on using tickets.