Feature request : Hide default Username / Password after changed

[lollett]

It's easy to manually remove default credential details (example below) from webpage multiotp.server.php but after upgrades it's obviously overwritten:

Login Username: admin (default is admin) User NOT authenticated Password: (default is 1234)

In line with best practice password policies (don't disclose default username, password, etc. )- wouldn't it be nice to hide this information after the default admin password has been changed?

Example: Login Username: [blank and no additional text] Password: [blank and no additional text]

[multiOTP]

Hello,

It's of course always possible to quickly know the default username and password, and of course for an open source project :-). Security through obscurity is never a good idea.

Anyway, beside that, we agree that we can remove the default username / password if the default password has been changed.

This will be done in a next release.

Thx for the feedback

Regards,

[multiOTP]

Hello, This has been changed in release 5.9.5.0 and further. Regards,

[lollett]

The show default credentials until changed functionality doesn't seem to be working.

i.e. Its not showing admin and 1234 on a clean windows install of 5.9.7.1

[multiOTP]

Hello, With a fresh install, the multiotp.ini configuration file is not created before calling the page for the first time. If you do a "SHIFT+RELOAD", the default credentials are displayed. We will try to fix that starting with version 5.9.7.2 Regards,