Admin/ManageUsers.aspx has a plaintext password field

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
7/10/2008 10:15:03 AM
subflux
Gravatar
Total Posts 43
View Posts

Admin/ManageUsers.aspx has a plaintext password field

Hi,

Similar to the 'bug' where the LDAP password textbox did not have the password property set, Admin/ManageUsers.aspx has a plaintext password field.

I'm a little nervous setting up users for the site with people able to see my screen so I updated my working copy and here's the SVN .patch file created:

Index: Web/Admin/ManageUsers.aspx

===================================================================

--- Web/Admin/ManageUsers.aspx (revision 3950)

+++ Web/Admin/ManageUsers.aspx (working copy)

@@ -45,7 +45,7 @@

</div>
<div id="divPassword" runat="server" class="settingrow">
<mp:SiteLabel id="lblPassword" runat="server" ForControl="txtPassword" CssClass="settinglabel" ConfigKey="ManageUsersPasswordLabel" ></mp:SiteLabel>
- <asp:Textbox id="txtPassword" runat="server" columns="45" TabIndex="10" maxlength="50"></asp:Textbox>
+ <asp:Textbox id="txtPassword" runat="server" columns="45" TabIndex="10" maxlength="50" TextMode="Password"></asp:Textbox>
<mp:HelpLinkButton runat="server" id="HelpLinkButton6" HelpKey="userpasswordhelp" ImageUrl="~/Data/SiteImages/FeatureIcons/help.gif" />
</div>


All the best,

Kenny

7/10/2008 1:31:20 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Admin/ManageUsers.aspx has a plaintext password field

Hi Kenny,

In this case it was kind of by design that the passwords were not masked from the admin. The idea is in cases where you need to be able to tell your customer their password so you need to see it. For example if taking a customer service phone call. Obviously its a business decision whether to allow employees to see passwords in the system so I leave it up to the business. For those with tighter security needs you can use hashed passwords which are not visible in the UI nor in the db.

I suppose the case you are working with is that you'd like to be able to manually change passwords there but want to protect from shoulder surfing and you don't really need to see the current password. I've implemented something today to make it configurable, it will be in svn trunk by tonight.

There is a new config setting:

<add key="MaskPasswordsInUserAdmin" value="true" />

I've made the default true but it allows for those cases where the admin wants to be able to see the password. Then I set it in code like this:

if (WebConfigSettings.MaskPasswordsInUserAdmin)
{
     txtPassword.TextMode = TextBoxMode.Password;
}
 

Best,

Joe

7/11/2008 2:59:54 AM
subflux
Gravatar
Total Posts 43
View Posts

Re: Admin/ManageUsers.aspx has a plaintext password field

Hi Joe,

The need to be able to reset the hashed passwords is there. It's more accidental "shoulder surfing" that must be avoided - according to a strict regulatory environment we can not have the possiblity of someone accidentally glancing at the screen that's showing a cleartext password.

Best regards,

Kenny

7/11/2008 5:58:30 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Admin/ManageUsers.aspx has a plaintext password field

Hi Kenny,

With hashed passwords it never did display the existing password, so shoulder surfing was not possible except if they surf right at the time you are updating a password, which is what I understand was your concern. But now with it masked that is solved.

Best,

Joe

7/11/2008 6:44:31 AM
subflux
Gravatar
Total Posts 43
View Posts

Re: Admin/ManageUsers.aspx has a plaintext password field

Absolutely agree.

All the Best,

Kenny

You must sign in to post in the forums. This thread is closed to new posts.