[thesite] password input on user account page

.jeff jeff at members.evolt.org
Tue Jan 8 13:30:52 CST 2002


> From: Seb
> I do have one suggestion which impacts security and
> usability.
> On the user account page where you can change your
> info, the password boxes are populated. This is a
> minor security hazard, as you could now potentially
> find a user's login details just by searching through
> their cache. I know it sounds unlikely to impact
> anyone, but it's not unheard of for sysadmins (ie.
> people like me) to get bored and go searching network
> caches for this kind of thing.
> Obvious minor change to code: don't update the password
> if the input is empty.

i think i'd be willing to do that, but what kind of security implication are
we willing talking about?  imo, not much of a concern.  we're not a bank.
we're not amazon.com.  there really isn't much to gain by logging in as
someone else.

just a thought,


jeff at members.evolt.org

More information about the thesite mailing list