Bug 2971 – Passwords should not be echoed back in cleartext

Bug 2971 - Passwords should not be echoed back in cleartext

Summary:

Passwords should not be echoed back in cleartext

Status:	NEW

Product:	OJS
Classification:	Unclassified
Component:	General
Version:	2.4.x
Platform:	PC Linux

Importance:	P1 normal
Assigned To:	PKP Support

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2007-08-08 14:15 PDT by Alec Smecher
Modified:	2012-09-21 17:20 PDT (History)
CC List:	2 users (show)

See Also:
Version Reported In:
Also Affects:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alec Smecher 2007-08-08 14:15:49 PDT

Passwords should never be echoed back in cleartext (except in extenuating circumstances, such as showing the database password while editing the configuration file). This is currently possible in the LDAP plugin, and may appear elsewhere.

Comment 1 Juan Pablo Alperin 2011-03-17 16:11:26 PDT

password on installer is example of this.

Comment 2 Matthew Crider 2011-03-18 17:47:05 PDT

Fixed on OMP install page: https://github.com/pkp/omp/commit/464cb9a7965f0421c1427f923697106c028f69d7

Comment 3 Alec Smecher 2011-03-18 17:53:57 PDT

The bug entry is about sending the password over the network unencrypted, not presenting it to the user in a readable form. (Using input type="password" can obviously be circumvented by viewing the source). Passwords should never be sent back to the user; preloading password fields with "*******" (literally) when passwords are already set, and then updating the DB only when they have been changed from that value, would get around the problem.