[thesite] password input on user account page
Seb
seb at members.evolt.org
Tue Jan 8 10:06:52 CST 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi guys,
I'm just trying to get up to speed on thesite, as it's been a few months
since I've had the time to actually contribute properly. In doing so, I've
been playing around with a lot of the new features, and all I can say is 'wow'.
I do have one suggestion which impacts security and usability.
On the user account page where you can change your info, the password boxes
are populated. This is a minor security hazard, as you could now
potentially find a user's login details just by searching through their
cache. I know it sounds unlikely to impact anyone, but it's not unheard of
for sysadmins (ie. people like me) to get bored and go searching network
caches for this kind of thing.
Obvious minor change to code: don't update the password if the input is empty.
Now, would anyone be kind enough to write a couple of paragraphs of
cliff's-notes to help me catch up on [thesite]? Pretty please?
Seb.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPDsZXL2V451Vxr52EQIvOwCg8PPXEoEQ2HE8O4Pol0Xbahyw5YwAoJlD
bgeXsHRfHujV/i9RXfdGFhI1
=6q9R
-----END PGP SIGNATURE-----
More information about the thesite
mailing list