[MGNLUI-4182] Password field stores password in plain text Created: 31/Mar/17 Updated: 08/Mar/21 Resolved: 08/Mar/21 |
|
| Status: | Closed |
| Project: | Magnolia UI |
| Component/s: | forms |
| Affects Version/s: | 5.7 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major |
| Reporter: | Antti Hietala | Assignee: | Unassigned |
| Resolution: | Workaround exists | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Template: |
|
||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||||||
| Documentation update required: |
Yes
|
||||||||||||
| Date of First Response: | |||||||||||||
| Description |
|
In Password field documentation we say:
This statement is not correct, at least not by default. The password field stores the password in the repository in plain text (unencrypted) by default. To reproduce, configure the field in any form and examine the result. It's not clear what the user must do to enable the encryption. An encode property is listed in documentation but it doesn't seem to do anything. PasswordFieldDefinition has no such property. Fix the default behavior or document how to enable encryption. |
| Comments |
| Comment by Jan Haderka [ 31/Mar/17 ] |
|
Not sure if this is product issue or documentation issue. Password field is simple text field that hides text visually from the prying eyes, however it stores directly value provided by user. If we store just hash, it would mean that system could never find out the underlying password (which is OK when you want to authenticate against the password and compare just stored hash against hash of password provided during login), but is not OK if you are entering password to be stored by system to access other systems requiring authentication (where Magnolia needs to enter password on behalf of user). The password safe/manager app should be anyway used for the latter case. In case of our user dialog, we use password field to only collect value of password entered by user, but delegate whole saving of the user and hashing to underlying user manager (Which might or might not be internal Magnolia User Manager and might or might not hash password). |
| Comment by Roman Kovařík [ 08/Mar/21 ] |
|
Closing this as clearly stated in latest DOCu. |