Signup form doesn't mask passwords

SierraAR

Community Advocate
Community Support
Messages
827
Reaction score
17
Points
18
http://sierrabrown.me/ss/phggq97.jpg

The signup form on the front page of x10vps.com doesn't mask the password fields with asterisks (***). This is a bit of a security issue for public areas or people with nosey 'friends'.
 

GtoXic

x10 Support
Messages
636
Reaction score
17
Points
0
Yeah, I can confirm this, tested in FF, Chrome and IE.
 

bdistler

Well-Known Member
Prime Account
Messages
3,534
Reaction score
196
Points
63
just received my password by Email as "plaintext" - not nice

I confirm the signup form shows the password as "plaintext" - not nice

I assume from the above my password is stored unencrypted (same as "plaintext") by x10hosting
 

leafypiggy

Manager of Pens and Office Supplies
Staff member
Messages
3,819
Reaction score
163
Points
63
just received my password by Email as "plaintext" - not nice

I confirm the signup form shows the password as "plaintext" - not nice

I assume from the above my password is stored unencrypted (same as "plaintext") by x10hosting

Without looking at the code, I couldn't say for sure, but I'm willing to bet your password is hashed in our database. Just because you receive an email with your password doesn't mean the password's being stored in cleartext (Correct wording, it's not plaintext). It's as simple as setting a separate variable with the stored password for email, or simple sending the email before hashing. As for the confirmation page - it's probably in the get params (or it's a cookie)
 

essellar

Community Advocate
Community Support
Messages
3,295
Reaction score
227
Points
63
Password masking should only ever be an option (or at the very least, there should be an option to render clear text). Y'all folks ought to keep up on security best practices—the object of the game is to encourage passwords with high entropy (longer is better, regardless of the complexity of the character pattern) and that results in greater opportunities for typos. Password masking tends to encourage simpler/shorter passwords.

Emailing clear text passwords is generally a bad idea no matter how the password is actually stored in the login system (and one would hope that it's at least stored as a salted hash with a high work factor; preferable is both salt and pepper)—email systems are rarely as secure as one would like, and an email program (or a webmail page) is one of those things that's likely to be left open for an extended period of time.
 

Corey

I Break Things
Staff member
Messages
34,553
Reaction score
204
Points
63
Just to clarify on somethings...

I've never agreed with the masking password field thing on registration, it doesn't change the way it is stored\submitted on the server... only causes inconvenience for the user. Apparently it's to prevent shoulder peeping? As it is a simple change I'll go ahead and enable it.

With that said, I understand the email issue... personally I change my passwords anytime I get it via email whether it's reset\registration, etc. But I understand not everyone does what I do, so I'll fix that so passwords are no longer emailed and if someone 'forgets' the email clearly tells them to login and change it immediately. If I have time I'll force a password change upon login from a reset.

Passwords are encrypted in all of our systems, it was very difficult to do encryption with the VPN setup due to radius but it is done. Overall I think the way we handle things in general between all the systems\sites we have is very secure compared to the industry norm.
 
Top