Password bug

[queks]

If i enter a wrong password, the screen will appear my login name and the password that i key in. Shouldn't the wrong password be converted to a black dot also instead of showing out ? Usually, members enter the wrong password is a typo error. By displaying out will enable the password to be leak out. Thks

[Wistman]

The only people to see this is the person entering the ID & password, (don't forget it's wrong ) and the admin in the errors log, again the password is still the wrong one, but the admin can access any member's profile and change the password anyway.

[Hypocrite]

I still don't like this feature. Makes YaBB look vulnerable. If someone can see over your shoulder it can let someone use your account. If your password is lightning and you type lightingn its not really hard for someone else to figure out your password. Besides if the passwords are in a log file and someone can get their hands to the log file you are crappity smacked. By getting the admin password they can get the MySQL password etc. I really think this is a not so useful feature in YaBB SE:

[Wistman]

You have a fair comment about the looking over your shoulder bit, but the password is crypted in the members table

[Hypocrite]

You have a fair comment about the looking over your shoulder bit, but the password is crypted in the members table

That's true

[Jeff Lewis]

I don't understand the big issue here.  It's a password, treat it like other passwords.  If you're that worried about someone looking over your shoulder, can they not see the keys that you press?  Should we use a new ESP module in order to get the password out there?

As for the argument that if someone gets the admin password for mySQL, who cares if they get to the error log and see an incorrect password, if they have access to that area they can just make themselves an admin and change your password anyway!!

[Hypocrite]

If I understood correctly the password is shown for the wrong password to get logged. I can understand this but I still think that it gives a bad picture of YaBB SE as a secure application. Many people in these days are very concerned in the web about their privacy etc. and can get worried about these things. I think the developers should try to make YaBB SE as secure as possible and try to make it look like secure at least If it has these kinds of little things it can also attract hackers to try their luck trying to find a easy way inside when they notice that.

If the password has to be shown only for the logging purpose one solution would be to change the password part of the text the same color as the background. So if you want to see the password you have to highlight it. It's not a good solution but...

[Jeff Lewis]

I still say it's nothing.  And it doesn't make it any less secure in my opinion.  It also shows so that a user knows what they typed wrong...