View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003626 | Composr | core_form_interfaces | public | 2018-06-07 15:49 | 2022-12-26 22:58 |
| Reporter | Chris Graham | Assigned To | |||
| Severity | Feature-request | ||||
| Status | non-assigned | Resolution | open | ||
| Product Version | |||||
| Fixed in Version | |||||
| Summary | 0003626: Password input with show password button | ||||
| Description | Have a new $value parameter to form_input_password. If not null, it will put a 'show password' button next to it. Currently we don't use password inputs for passwords in configuration, because you may legitimately want to see the value when checking your configuration. All these would need moving over to using form_input_password (including password inputs in modules like admin_cns_forums, and actual configuration options, including config options for secret keys). | ||||
| Additional Information | Using a password field with a default value is not secure - it can easily be revealed by a little JS or looking at the HTML source. However, it is 'secure' against someone looking over your shoulder or watching a webcast or watching a prerecorded video (where the field was not blurred). | ||||
| Tags | Roadmap: Over the horizon, Type: Security | ||||
| Time estimation (hours) | 4 | ||||
| Sponsorship open | |||||
|
|
We could also consider a setting and/or privilege on whether to pass through existing passwords at all, and instead only allow them to be changed. This would require more work though. |
|
|
Actually the show/hide button should be there even when there's no default password. It's an accessibility feature for those who are not confident in their typing. However, as a stopgap, browser extensions do exist: https://addons.mozilla.org/en-US/firefox/addon/show-me-the-passsword/?src=recommended https://chrome.google.com/webstore/detail/show-and-hide-passwords/panhbjhhhpldcicghpekhonnmfnpgibd |
|
|
Note you need to put spellcheck="false" on any field that is converted from type="password" to type="text", as there is a security concern: https://it.slashdot.org/story/22/09/19/2133252/microsoft-edge-google-chrome-enhanced-spellcheck-feature-exposes-passwords?utm_source=rss1.0mainlinkanon&utm_medium=feed |
|
|
We also need to consider hybridauth.xml, which is a config file which can contain raw keys in. I think anywhere a key can be defined should support Tempcode, so you could do {$VALUE_OPTION,facebook_private_key) for example, and then set that in Commandr: :set_value('facebook_private_key', 'abcdef'); EDIT: This is now implemented using the new keys.csv importing mechanism from admin_config. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2018-06-07 15:49 | Chris Graham | New Issue | |
| 2018-06-07 15:49 | Chris Graham | Tag Attached: Type: Security | |
| 2018-06-07 16:08 | Chris Graham | Note Added: 0005736 | |
| 2020-07-09 17:00 | Chris Graham | Note Added: 0006645 | |
| 2022-09-20 01:43 | Chris Graham | Note Added: 0007519 | |
| 2022-10-22 00:33 | Chris Graham | Description Updated | View Revisions |
| 2022-10-22 00:33 | Chris Graham | Additional Information Updated | View Revisions |
| 2022-10-22 00:33 | Chris Graham | Time estimation (hours) | 3 => 4 |
| 2022-10-22 00:33 | Chris Graham | Sponsorship open | 0 => |
| 2022-10-22 00:33 | Chris Graham | Tag Attached: Roadmap: v11 | |
| 2022-10-22 00:34 | Chris Graham | Assigned To | => Patrick Schmalstig |
| 2022-10-22 00:34 | Chris Graham | Status | non-assigned => assigned |
| 2022-10-24 17:02 | Chris Graham | Note Added: 0007568 | |
| 2022-11-20 03:00 | Chris Graham | Tag Detached: Roadmap: v11 | |
| 2022-11-20 03:00 | Chris Graham | Tag Attached: Roadmap: v12 | |
| 2022-11-20 03:00 | Chris Graham | Assigned To | Patrick Schmalstig => |
| 2022-11-20 03:00 | Chris Graham | Status | assigned => non-assigned |
| 2022-12-26 22:58 | Chris Graham | Note Edited: 0007568 | View Revisions |
| 2024-03-26 00:58 | Patrick Schmalstig | Tag Renamed | Roadmap: v12 => Roadmap: Over the horizon |
