PKP Bugzilla – Bug 2971
Passwords should not be echoed back in cleartext
Last modified: 2012-09-21 17:20:15 PDT
Passwords should never be echoed back in cleartext (except in extenuating circumstances, such as showing the database password while editing the configuration file). This is currently possible in the LDAP plugin, and may appear elsewhere.
password on installer is example of this.
Fixed on OMP install page: https://github.com/pkp/omp/commit/464cb9a7965f0421c1427f923697106c028f69d7
The bug entry is about sending the password over the network unencrypted, not presenting it to the user in a readable form. (Using input type="password" can obviously be circumvented by viewing the source). Passwords should never be sent back to the user; preloading password fields with "*******" (literally) when passwords are already set, and then updating the DB only when they have been changed from that value, would get around the problem.