[wp-trac] [WordPress Trac] #15369: Worpress exposes clear text passwords in the UI
WordPress Trac
wp-trac at lists.automattic.com
Wed Nov 10 16:17:16 UTC 2010
#15369: Worpress exposes clear text passwords in the UI
--------------------------+-------------------------------------------------
Reporter: nh2 | Owner:
Type: defect (bug) | Status: new
Priority: lowest | Milestone: Awaiting Review
Component: Security | Version:
Severity: trivial | Keywords: passwords
--------------------------+-------------------------------------------------
Comment(by nh2):
Replying to [comment:1 westi]:
> This does nothing to actually hide the passwords.
Of course, it displays bullets instead of the plain text passwords.
I don't know if this applies to you, but I am barely alone in the room
when I set up Wordpress sites. Sometimes there is even video surveillance.
Just yesterday, I was inadvertently shown the MySQL password of a friend's
database server because of this usability feature.
> We could consider not displaying the email server password and returning
a blank string and just letting people change it but the others are fine
as they are.
Well, a very security-enhancing "compromise" if the potential villain
watching your screen whilst standing behind you already knows the database
password.
> The fields are much more user friendly as plain text for entering.
What about doing it like most desktop software does it? Hide the
characters by default and have a "show password" checkbox next to the
input. This would provide both security and usability.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/15369#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list