[thesite] password input on user account page

Seb seb at members.evolt.org
Tue Jan 8 10:06:52 CST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi guys,

I'm just trying to get up to speed on thesite, as it's been a few months 
since I've had the time to actually contribute properly. In doing so, I've 
been playing around with a lot of the new features, and all I can say is 'wow'.

I do have one suggestion which impacts security and usability.

On the user account page where you can change your info, the password boxes 
are populated. This is a minor security hazard, as you could now 
potentially find a user's login details just by searching through their 
cache. I know it sounds unlikely to impact anyone, but it's not unheard of 
for sysadmins (ie. people like me) to get bored and go searching network 
caches for this kind of thing.

Obvious minor change to code: don't update the password if the input is empty.

Now, would anyone be kind enough to write a couple of paragraphs of 
cliff's-notes to help me catch up on [thesite]? Pretty please?

Seb.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPDsZXL2V451Vxr52EQIvOwCg8PPXEoEQ2HE8O4Pol0Xbahyw5YwAoJlD
bgeXsHRfHujV/i9RXfdGFhI1
=6q9R
-----END PGP SIGNATURE-----





More information about the thesite mailing list