[thesite] password input on user account page
.jeff
jeff at members.evolt.org
Tue Jan 8 13:30:52 CST 2002
seb,
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Seb
>
> I do have one suggestion which impacts security and
> usability.
>
> On the user account page where you can change your
> info, the password boxes are populated. This is a
> minor security hazard, as you could now potentially
> find a user's login details just by searching through
> their cache. I know it sounds unlikely to impact
> anyone, but it's not unheard of for sysadmins (ie.
> people like me) to get bored and go searching network
> caches for this kind of thing.
>
> Obvious minor change to code: don't update the password
> if the input is empty.
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
i think i'd be willing to do that, but what kind of security implication are
we willing talking about? imo, not much of a concern. we're not a bank.
we're not amazon.com. there really isn't much to gain by logging in as
someone else.
just a thought,
.jeff
http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/
More information about the thesite
mailing list