[GH-ISSUE #184] [Security Suggestion] Password field and initial password #145

New issue

Closed

opened 2026-02-26 09:36:17 +03:00 by kerem · 8 comments

kerem commented 2026-02-26 09:36:17 +03:00

Owner

Copy link

Originally created by @Sebbo94BY on GitHub (Apr 16, 2016).
Original GitHub issue: https://github.com/opensolutions/ViMbAdmin/issues/184

Currently, you can set a password and it will be displayed in clear-text instead of censored. Please change the input field to password instead of text and add a second one to validate the entered password.

If needed, you may can add a "View password" button, which temporarly changes the password-field to a text-field.

If the user uses the "create a random password" button, it should be automatically set to both input fields.

Anyway: In my opinion it's a no go, to send out the set password in clear-text via email to the user.

I would prefer, that the password isn't sent out, if at creation of the mailbox an individual password was set. If it's a random password, it should be send seperatly in a second email and/or the user has to change it immediately after the first login. This action needs to be forced at login.

Originally created by @Sebbo94BY on GitHub (Apr 16, 2016). Original GitHub issue: https://github.com/opensolutions/ViMbAdmin/issues/184 Currently, you can set a password and it will be displayed in clear-text instead of censored. Please change the input field to password instead of text and add a second one to validate the entered password. If needed, you may can add a "View password" button, which temporarly changes the password-field to a text-field. If the user uses the "create a random password" button, it should be automatically set to both input fields. Anyway: In my opinion it's a no go, to send out the set password in clear-text via email to the user. I would prefer, that the password isn't sent out, if at creation of the mailbox an individual password was set. If it's a random password, it should be send seperatly in a second email and/or the user has to change it immediately after the first login. This action needs to be forced at login.

kerem closed this issue 2026-02-26 09:36:17 +03:00

kerem commented 2026-02-26 09:36:18 +03:00

Author

Owner

Copy link

@Sebbo94BY commented on GitHub (Aug 26, 2016):

Any news regarding this topic?

<!-- gh-comment-id:242818146 --> @Sebbo94BY commented on GitHub (Aug 26, 2016): Any news regarding this topic?

kerem commented 2026-02-26 09:36:18 +03:00

Author

Owner

Copy link

@barryo commented on GitHub (Aug 29, 2016):

Haven't had a chance to look at this. A PR would be welcome to move things along.

<!-- gh-comment-id:243048090 --> @barryo commented on GitHub (Aug 29, 2016): Haven't had a chance to look at this. A PR would be welcome to move things along.

kerem commented 2026-02-26 09:36:18 +03:00

Author

Owner

Copy link

@Sebbo94BY commented on GitHub (Aug 29, 2016):

Sorry, didn't get that. What would be welcome?

<!-- gh-comment-id:243053512 --> @Sebbo94BY commented on GitHub (Aug 29, 2016): Sorry, didn't get that. What would be welcome?

kerem commented 2026-02-26 09:36:18 +03:00

Author

Owner

Copy link

@barryo commented on GitHub (Aug 29, 2016):

PR => Pull Request (i.e. code)

<!-- gh-comment-id:243061919 --> @barryo commented on GitHub (Aug 29, 2016): PR => Pull Request (i.e. code)

kerem commented 2026-02-26 09:36:18 +03:00

Author

Owner

Copy link

@Sebbo94BY commented on GitHub (Aug 29, 2016):

Ah, ok. Yes, when I can find some time at weekend, I'll try to figure out a solution.

<!-- gh-comment-id:243065196 --> @Sebbo94BY commented on GitHub (Aug 29, 2016): Ah, ok. Yes, when I can find some time at weekend, I'll try to figure out a solution.

kerem commented 2026-02-26 09:36:18 +03:00

Author

Owner

Copy link

@Sebbo94BY commented on GitHub (May 17, 2020):

@barryo has this been changed?

<!-- gh-comment-id:629813495 --> @Sebbo94BY commented on GitHub (May 17, 2020): @barryo has this been changed?

kerem commented 2026-02-26 09:36:18 +03:00

Author

Owner

Copy link

@barryo commented on GitHub (May 18, 2020):

No @Sebi94nbg - just closing it for 'timeout' - dates from 2016 😉

<!-- gh-comment-id:630051106 --> @barryo commented on GitHub (May 18, 2020): No @Sebi94nbg - just closing it for 'timeout' - dates from 2016 😉

kerem commented 2026-02-26 09:36:19 +03:00

Author

Owner

Copy link

@barryo commented on GitHub (May 18, 2020):

(still happy to look at a PR of course)

<!-- gh-comment-id:630051216 --> @barryo commented on GitHub (May 18, 2020): (still happy to look at a PR of course)

kerem referenced this issue 2026-02-26 10:30:39 +03:00

[PR #145] [MERGED] disable autocompletion on password formfields. fixes #103 and fixes #144. #288

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/composer/smarty/smarty-4.3.1

v2

3.4.1

3.4.0

3.3.0

3.2.1

3.2.0

3.1.1

3.1.0

3.0.15

3.0.14

3.0.13

3.0.12

3.0.11

2.2.4

3.0.10

3.0.9

3.0.8

3.0.7

3.0.6

3.0.5

3.0.4

3.0.3

3.0.2

3.0.1

3.0.0

2.2.3

2.2.2

2.2.1

2.2.0

2.1.0

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.1

2.0.0

0.3.4

0.3.3

0.3.2

0.3.1

0.3

Labels

Clear labels   

bug

  

feature

  

feature

  

improvement

  

improvement

  

pull-request

Mirrored from GitHub Pull Request

No labels

bug

feature

feature

improvement

improvement

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ViMbAdmin-opensolutions#145

No description provided.