wallet-web icon indicating copy to clipboard operation
wallet-web copied to clipboard

Published 20 hours ago verified publisher icon Rovak

Show password

Open DevObs1 opened this issue 7 years ago • 6 comments
trafficstars

https://github.com/tronprotocol/wallet-web/commit/8d913734976225d00dda45040bc417da36825fd3

This commit is not consistent with the alerts in the registration screen.

We indicate to the user that no one can help him recover the password and that it must be written on paper. image

And then we add a new button to display his password. (/account) image

DevObs1 avatar May 03 '18 13:05 DevObs1

I disagree.. 1 - All 3 statements at the login page are true, no one can help you to recover de password. 2- If you can click on "Show password" is because you are logged-in, and if you are logged-in that is because you knew your password to login.

lazarovicedo avatar May 04 '18 10:05 lazarovicedo

I have never seen a website where you can see your password in plain text, sounds weird and unsafe to me.

@lazarovicedo

1 - All 3 statements at the login page are true, no one can help you to recover de password.

And then we implement a way to recover the password?

2- If you can click on "Show password" is because you are logged-in, and if you are logged-in that is because you knew your password to login.

Or you just so happened to walk past someone else's account and can view the password with the click of a button.

daivy avatar May 04 '18 11:05 daivy

@lazarovicedo

1 - All 3 statements at the login page are true, no one can help you to recover de password.

They are not at once, since there is someone who maintains this website and has allowed (via this feature) to recover the password.

2- If you can click on "Show password" is because you are logged-in, and if you are logged-in that is because you knew your password to login.

If I'm already connected it's because I know my password, I do not need to be shown. At the security level, it's average.

I confirm what @Daivyy mentioned, never seen a website where you can see your password in plain text. At best, you can reset it.

DevObs1 avatar May 04 '18 12:05 DevObs1

If you click on "Show password", it doesn't send any request to the website actually. The password is not received from the network. The password is known by the web browser because it is locally stored during login (Try with BurpSuite or any local proxy application.)

screenshot 2018-05-04_14-35-26

But I agree that it is confusing for the end-user, and that this feature should be removed on the mainnet.

funoverip avatar May 04 '18 12:05 funoverip

you are right, the show password feature could be removed

lazarovicedo avatar May 04 '18 16:05 lazarovicedo

PR #153 removes the show password button

lazarovicedo avatar May 05 '18 16:05 lazarovicedo