Bug 161869 - desired password for new user creation
desired password for new user creation
Product: Red Hat Network
Classification: Red Hat
Component: RHN/Web Site (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Mike McCune
Vlady Zlatkin
: 161871 (view as bug list)
Depends On:
Blocks: 147875
  Show dependency treegraph
Reported: 2005-06-27 19:05 EDT by Scott Spurrier
Modified: 2007-04-18 13:28 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHN 4.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-08-31 23:08:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Scott Spurrier 2005-06-27 19:05:47 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Red Hat/1.7.8-

Description of problem:
When creating a new user, under "Desired Password" there are "******".  This field should be left blank.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. 1

Additional info:
Comment 1 Mike McCune 2005-06-27 19:15:20 EDT
Bret, any thoughts on this?
Comment 2 Bret McMillan 2005-06-28 09:23:22 EDT
I could go either way.  Maybe Maureen has a stronger opinion...
Comment 3 Máirín Duffy 2005-06-28 10:55:30 EDT
I certainly think leaving password fields blank in terminal programs such as ssh
is a good security practice. I don't think I've ever seen this on a web form
password field, however. 

The problem I see with this is that someone is going to fill out the form, look
at the password field and think they never filled it in. Also, if they submit
the form and it dumps them back (e.g. because they forgot to fill part of their
mailing address) the password field is actually blanked out so they may not
realize they have to fill it in again. In the end I think it's a non-standard
practice to force blank password fields, and that it's up to the web browser to
decide how to display them.

However, if you really wanted to mask how long the password is, you could make
the password form field just long enough to only display the minimum number of
characters required for a password (5). Then, for passwords that are > 5
characters, the text inside the box will scroll without expanding the box so the
length of the password would be masked while still maintaining asterisk visual
cue that the field has been filled out.

Some sites change the number of asterisks in the field on focus out but I don't
think that's possible w/o javascript.
Comment 4 Scott Spurrier 2005-06-28 11:11:47 EDT
The problem is that when you create a new user the "Desired Password" field
already has the asterisks by default.  This field should be left blank until the
user is created and the passwords are entered.  After the user is created and
the passwords are entered, the asterisks should show up in both password fields.
Comment 5 Máirín Duffy 2005-06-28 11:22:23 EDT
Hi Scott, I'm not seeing this from either of the new account creation forms at
https://rhn.redhat.com/newlogin/ or under the users tab within the interface at
https://rhn.redhat.com/network/users/create.pxt (hosted and satellite). So I'm
not sure about what page you're referring to. Can you provide an URL?
Comment 6 Scott Spurrier 2005-06-28 11:43:15 EDT
Hi Maureen,  

Here is the URL: 

You can log in as user: "sat-admin" pass: "four11"

This is the version that we are currently running:

Comment 7 Scott Spurrier 2005-06-28 11:48:21 EDT
Mike said he is not seeing the problem either... the problem appears to be with
my browser. I am using mozilla 1.7.8
Comment 8 Mike McCune 2005-06-28 12:02:22 EDT
I reproduced this by downloading mozilla 1.7.8 and doing the following:

1) Turn on "Remember Passwords"
   Edit -> Preferences
   Privacy and Security -> Passwords
   Remember Passwords -> Checked ON

2) Go here:
   login as sat-admin/four11 and when it asks if you want to save the password, 
   say yes.

3) Users -> create new user.  Notice the Desired password is filled out.
Comment 9 Mike McCune 2005-06-28 16:24:35 EDT
Fixing and checking in.  Just renamed the fields in the user edit/create pages
to "desiredpassword" and "desiredpasswordConfirm".
Comment 10 Mike McCune 2005-06-28 16:46:48 EDT

I reproduced this by downloading mozilla 1.7.8 and doing the following:

1) Download Mozilla 1.7.8 if you dont have it.
   Turn on "Remember Passwords"
   Edit -> Preferences
   Privacy and Security -> Passwords
   Remember Passwords -> Checked ON

2) Login to your sat and and when it asks if you want to save the password, 
   say yes.  This part is key.

3) Users -> create new user.  Verify that the desired password isn't filled out.

4) Users -> click on an existing user.  Hit the "save" button, make sure you 
   don't get a message stating that the passwords don't match.

Comment 11 Ken Ganong 2005-06-29 14:32:13 EDT
*** Bug 161871 has been marked as a duplicate of this bug. ***
Comment 12 Vlady Zlatkin 2005-07-22 14:40:00 EDT
prod ready

Note You need to log in before you can comment on or make changes to this bug.