Forums

Hi Bob,

I just changed my settings for sending CF form emails via SMTP and noticed the password field is not masked. When I type in the password not only am I seeing every character, it also stays there. If I go back to that page, the password is there in all it's glory!

Needless to say, this is a huge security risk. Please add a mask to the password field in settings.

Thanks in advance,

Jose

Hi Jose,

That would be for Max to change in a new release - but I'm not clear what the security risk is? Do you have some untrustworthy site admins?

Bob

Hi Bob, I don't. But there are "external forces" that could come into play. Here are two scenarios that pose a risk:

- The site gets hacked (as much as we try to avoid this by installing all patches, you and I know this can very well happen)
- An admin's computer gets hacked (some of my clients are super admins. I can't control how good they are with security)

In the end, masking password fields is standard procedure for web development. Please pass the request onto Max for the next release.

Best always :-)

j.

Hi Baxterdown,

If you want to, then you can change the setting at line 50 of /administrator/components/com_chronoforms5/chronoforms/views/settings.php

Neither of your scenarios are actually valid - all that a password input does is protect from 'over the shoulder' risks where someone else can see you typing in a password. If you have browser access to the page then it is trivial to use the web developer tools to see what the password is.

Bob