Defect #41133
closed
Lack of encryption of password on the client side (?)
0%
Description
Hello.
First of all, pardon if the question is dumb, or I am being paranoid (I am kind of tech-naive) but I'll ask nonetheless.
Today, upon inspecting the page (F12 in Chrome) when going to the Network tab -> login -> Payload I am able to see my password in plaintext!
It goes like this:
utf8: check
authenticity_token: cAWSFJiQOWAJERIOQWJRIOJQWOIRJIOQWR
back_url: /
username: arthraspwner1337
password: MY_LITERAL_PASSWORD
login: Login
Now, is there any option (via plugin, settings on website or modyfying some ruby config files) to HIDE the password in this tab?
Or is HTTPS sufficient here, or is this the 'industry standard'?
Thanks in advance!
Updated by Go MAEDA about 2 months ago
- Status changed from New to Closed
- Resolution set to Wont fix
Regarding the issue you’ve pointed out, the transmission of the entered login ID and password in plain text during form-based login is a common behavior in web applications. This is not a defect.
To prevent the password from being transmitted in plain text over the network, it is strongly recommended to use HTTPS.