Module password masking from admin area
-
Simon Thomassen shared this idea 7 years ago
- Admin Area
- 1 Comment
43
Votes
Login to Vote
It have been more secure to do module password masking rather than the password is shown to all the staffs, maybe there could be a setting in configuration to turn this on/off?
Merged Ideas
Password field in services masked by default with reveal button
Currently the password field in the products/services tab of a client profile is always visible which is bad practice.This feature request proposes 2 options to improve how passwords are displayed for services.Option 1: Minimal change but still poor securityChange the id="inputPassword" from a textbox to a password field with the password as its value and a reveal button that makes the password fields text visible.Basically the same as the admin login form, this ensures staff are not seeing passwords every time they look at a service unless they click the reveal button.Option 2: Enhanced SecurityChange the id="inputPassword" from a textbox to a password field with a random default value and a reveal button, when the reveal button is clicked it does a callback to retrieve the password from the database then displays it in the field, the callback is logged to an audit log with the staff account and service.This solution makes it possible to monitor for credential harvesting via the logs and does not place the password in the HTML.
Currently the password field in the products/services tab of a client profile is always visible which is bad practice.This feature request proposes 2 options to improve how passwords are displayed for services.Option 1: Minimal change but still poor securityChange the id="inputPassword" from a textbox to a password field with the password as its value and a reveal button that makes the password fields text visible.Basically the same as the admin login form, this ensures staff are not seeing passwords every time they look at a service unless they click the reveal button.Option 2: Enhanced SecurityChange the id="inputPassword" from a textbox to a password field with a random default value and a reveal button, when the reveal button is clicked it does a callback to retrieve the password from the database then displays it in the field, the callback is logged to an audit log with the staff account and service.This solution makes it possible to monitor for credential harvesting via the logs and does not place the password in the HTML.
Hide products/services passwords in admin area
I'm quite uncomfortable with service passwords showing as clear text in the admin area. This is a problem especially when you don't want everyone in your company to access such sensitive data. Right now it is not possible to grant staff members permissions to view a product/service without letting them know all login credentials from your customers. Even for administrators it is bad practice to have these details all the time on your screen. It should be possible to hide and only show them on request.This applies to the password field and custom fields with type password.
I'm quite uncomfortable with service passwords showing as clear text in the admin area. This is a problem especially when you don't want everyone in your company to access such sensitive data. Right now it is not possible to grant staff members permissions to view a product/service without letting them know all login credentials from your customers. Even for administrators it is bad practice to have these details all the time on your screen. It should be possible to hide and only show them on request.This applies to the password field and custom fields with type password.
1 Comment
Login to post a comment.