[thesite] password input on user account page

.jeff jeff at members.evolt.org
Tue Jan 8 13:30:52 CST 2002


seb,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Seb
>
> I do have one suggestion which impacts security and
> usability.
>
> On the user account page where you can change your
> info, the password boxes are populated. This is a
> minor security hazard, as you could now potentially
> find a user's login details just by searching through
> their cache. I know it sounds unlikely to impact
> anyone, but it's not unheard of for sysadmins (ie.
> people like me) to get bored and go searching network
> caches for this kind of thing.
>
> Obvious minor change to code: don't update the password
> if the input is empty.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

i think i'd be willing to do that, but what kind of security implication are
we willing talking about?  imo, not much of a concern.  we're not a bank.
we're not amazon.com.  there really isn't much to gain by logging in as
someone else.

just a thought,

.jeff

http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/






More information about the thesite mailing list