From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Red Hat/1.7.8-1.1.3.1 Description of problem: When creating a new user, under "Desired Password" there are "******". This field should be left blank. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. 1 2. 3. Additional info:
Bret, any thoughts on this?
I could go either way. Maybe Maureen has a stronger opinion...
I certainly think leaving password fields blank in terminal programs such as ssh is a good security practice. I don't think I've ever seen this on a web form password field, however. The problem I see with this is that someone is going to fill out the form, look at the password field and think they never filled it in. Also, if they submit the form and it dumps them back (e.g. because they forgot to fill part of their mailing address) the password field is actually blanked out so they may not realize they have to fill it in again. In the end I think it's a non-standard practice to force blank password fields, and that it's up to the web browser to decide how to display them. However, if you really wanted to mask how long the password is, you could make the password form field just long enough to only display the minimum number of characters required for a password (5). Then, for passwords that are > 5 characters, the text inside the box will scroll without expanding the box so the length of the password would be masked while still maintaining asterisk visual cue that the field has been filled out. Some sites change the number of asterisks in the field on focus out but I don't think that's possible w/o javascript.
The problem is that when you create a new user the "Desired Password" field already has the asterisks by default. This field should be left blank until the user is created and the passwords are entered. After the user is created and the passwords are entered, the asterisks should show up in both password fields.
Hi Scott, I'm not seeing this from either of the new account creation forms at https://rhn.redhat.com/newlogin/ or under the users tab within the interface at https://rhn.redhat.com/network/users/create.pxt (hosted and satellite). So I'm not sure about what page you're referring to. Can you provide an URL?
Hi Maureen, Here is the URL: https://qachaos.nplab.redhat.com/rhn/users/CreateUser.do?account_type=into_org You can log in as user: "sat-admin" pass: "four11" This is the version that we are currently running: rhn-satellite-4.0.0-79a-redhat-linux-as-i386-4-embedded-oracle.iso
Mike said he is not seeing the problem either... the problem appears to be with my browser. I am using mozilla 1.7.8
I reproduced this by downloading mozilla 1.7.8 and doing the following: 1) Turn on "Remember Passwords" Edit -> Preferences Privacy and Security -> Passwords Remember Passwords -> Checked ON 2) Go here: http://qachaos.nplab.redhat.com login as sat-admin/four11 and when it asks if you want to save the password, say yes. 3) Users -> create new user. Notice the Desired password is filled out.
Fixing and checking in. Just renamed the fields in the user edit/create pages to "desiredpassword" and "desiredpasswordConfirm".
TESTPLAN: I reproduced this by downloading mozilla 1.7.8 and doing the following: 1) Download Mozilla 1.7.8 if you dont have it. Turn on "Remember Passwords" Edit -> Preferences Privacy and Security -> Passwords Remember Passwords -> Checked ON 2) Login to your sat and and when it asks if you want to save the password, say yes. This part is key. 3) Users -> create new user. Verify that the desired password isn't filled out. 4) Users -> click on an existing user. Hit the "save" button, make sure you don't get a message stating that the passwords don't match.
*** Bug 161871 has been marked as a duplicate of this bug. ***
prod ready