Bug 2971 - Passwords should not be echoed back in cleartext
Passwords should not be echoed back in cleartext
Status: NEW
Product: OJS
Classification: Unclassified
Component: General
2.4.x
PC Linux
: P1 normal
Assigned To: PKP Support
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-08 14:15 PDT by Alec Smecher
Modified: 2012-09-21 17:20 PDT (History)
2 users (show)

See Also:
Version Reported In:
Also Affects:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alec Smecher 2007-08-08 14:15:49 PDT
Passwords should never be echoed back in cleartext (except in extenuating circumstances, such as showing the database password while editing the configuration file). This is currently possible in the LDAP plugin, and may appear elsewhere.
Comment 1 Juan Pablo Alperin 2011-03-17 16:11:26 PDT
password on installer is example of this.
Comment 2 Matthew Crider 2011-03-18 17:47:05 PDT
Fixed on OMP install page: https://github.com/pkp/omp/commit/464cb9a7965f0421c1427f923697106c028f69d7
Comment 3 Alec Smecher 2011-03-18 17:53:57 PDT
The bug entry is about sending the password over the network unencrypted, not presenting it to the user in a readable form. (Using input type="password" can obviously be circumvented by viewing the source). Passwords should never be sent back to the user; preloading password fields with "*******" (literally) when passwords are already set, and then updating the DB only when they have been changed from that value, would get around the problem.