Show password

Question

Show password

DevObs1 opened this issue 6 years ago · comments

DevObs1 commented 6 years ago

8d91373

This commit is not consistent with the alerts in the registration screen.

We indicate to the user that no one can help him recover the password and that it must be written on paper.

And then we add a new button to display his password. (/account)

lazaro · Answer 1 · Fri May 04 2018 18:50:51 GMT+0800 (China Standard Time)

I disagree..
1 - All 3 statements at the login page are true, no one can help you to recover de password.
2- If you can click on "Show password" is because you are logged-in, and if you are logged-in that is because you knew your password to login.

Daivy · Answer 2 · Fri May 04 2018 19:12:48 GMT+0800 (China Standard Time)

I have never seen a website where you can see your password in plain text, sounds weird and unsafe to me.

@lazarovicedo

1 - All 3 statements at the login page are true, no one can help you to recover de password.

And then we implement a way to recover the password?

2- If you can click on "Show password" is because you are logged-in, and if you are logged-in that is because you knew your password to login.

Or you just so happened to walk past someone else's account and can view the password with the click of a button.

DevObs1 · Answer 3 · Fri May 04 2018 20:02:19 GMT+0800 (China Standard Time)

@lazarovicedo

1 - All 3 statements at the login page are true, no one can help you to recover de password.

They are not at once, since there is someone who maintains this website and has allowed (via this feature) to recover the password.

2- If you can click on "Show password" is because you are logged-in, and if you are logged-in that is because you knew your password to login.

If I'm already connected it's because I know my password, I do not need to be shown.
At the security level, it's average.

I confirm what @daivyy mentioned, never seen a website where you can see your password in plain text.
At best, you can reset it.

funoverip · Answer 4 · Fri May 04 2018 20:42:37 GMT+0800 (China Standard Time)

If you click on "Show password", it doesn't send any request to the website actually. The password is not received from the network. The password is known by the web browser because it is locally stored during login (Try with BurpSuite or any local proxy application.)

But I agree that it is confusing for the end-user, and that this feature should be removed on the mainnet.

lazaro · Answer 5 · Sat May 05 2018 00:16:34 GMT+0800 (China Standard Time)

you are right, the show password feature could be removed

lazaro · Answer 6 · Sun May 06 2018 00:14:57 GMT+0800 (China Standard Time)

PR #153 removes the show password button