On Oct 15, 2009, at 1:24 PM, Sergiu Dumitriu wrote: > On 10/15/2009 01:09 PM, Vincent Massol wrote: >> >> On Oct 15, 2009, at 10:56 AM, Sergiu Dumitriu wrote: >> >>> On 10/14/2009 06:59 PM, [email protected] wrote: >>>> Hello Developers, >>>> >>>> This message is sent by XWiki. Here are the documents in your >>>> watchlist >>>> that have been modified since the last notification: >>> >>>> XWiki.flavius >>>> >>>> >>>> Between 2009/10/12 15:15 and 2009/10/12 15:17, the document >>>> has >>>> been modified 2 times, by 2 user(s): Flavius Olaru, Jerome >>>> Velociter >>>> >>>> XWiki.XWikiUsers >>>> password: >>>> hash:SHA-512:ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ffhash:SHA-512:01ee4ab961b2f3f35fce8412d7facc44cd68782ed1b1810e849f21420583df04bee183d2b740d33417584e14fbc0dfc9d6232d2ce814012146840a69fdb2f31f >>>> author: XWiki.jvelociter> XWiki.flavius >>> >>> ^^^ >>> This is not right. >> >> I was wondering too. Can you be more specific about what's not right? > > Password changes should not be sent in plain text on this email. > Fortunately the default password is hashed, but: > > - this is configurable, so some wikis could have plain text passwords > - hashes are getting easier to break, with advances in cryptography > and > mass computing > - other classes could use custom unencrypted password fields > - most other places where fields are displayed hide the password (XML > export, access throught the API, the object editor...) > > So, we either don't display it at all, or we display a generic > "password: this value has changed"
Right. I agree that password types should not show their values. Thanks -Vincent _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
