Incze Lajos wrote:
> On Wed, Jan 31, 2001 at 01:55:46PM -0800, Joerg Beekmann wrote:
> >
> >
> > > Is it really a security risk, though? Remember that the
> > > password displayed here
> > > did *not* work (otherwise, the user would have been logged
> > > in), so a potential
> > > attacker is not learning anything new. After all, they can
> > > just try various
> > > username and password combinations on your login screen, and
> > > find out exactly the
> > > same thing, even if the password text were not echoed.
> > >
> > I don't understand, seems to me the attacker is learning something.
> > Two likely reasons for a failed login are:
> > - simple typo; in this case trying a few variations or in many cases
> > correcting the spelling will get the attacker in.
> > - the user has multiple passwords and typed the wrong one. This
> > might compromise other systems
> >
> > Joerg
>
> I fully understand to Joerg. Refrain the password (which can be seen
> in hte HTML source view) is a bug.
>
> 1. As any sysadmin can tell you, users - if they can - will select
> meaningful passwords. I sight enough somtimes to know what the typo
> was, and what the real passowrd is.
>
> 2. Another issue is privacy. Users think what they type TOTALLY ENCRYPTED
> and you can get very inconvenient situations when something thought
> to be secret will be unveiled in clear text. So, it's simply HURTING
> A CONTRACT (that's why I'm calling it bug, not risk).
> incze
These arguments make sense ... I just checked in a patch.
Note that doing this breaks a different contract ("all Struts form tags
redisplay the previous values from the corresponding form bean property"),
but in the case of conflicting goals security needs to win.
Craig
