Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-57021

The new 'password unmask' field should only be used when entering shared secrets

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Enable email delivery (e.g. using mailcatcher)
      2. Enable email-based self registration so that a user can register
      3. Create a course (enroltest)
      1. As admin in course
      2. Enable guest access in the course, set a guess acesss password to 'danlovesbeer'
      3. VERIFY: that the guest access password is a password unmask element (not a plain password field)
      4. Enable self enrollment in the course, set an enrolment key to 'andcurrys'
      5. VERIFY: the enrollment key is a password unmask element (not a plain password field)
      6. Logout
      1. On the login page use the 'create a new user' option to register a new user
      2. VERIFY: the registration form has password as plain password field
      3. Register the user
      4. Use the email you've been sent to to confirm the account
      5. Logout and login again verifying the password you set works
      1. Login as the user you registered and go to the course enroltest
      2. You should be presented with option to gain access to the course with guest access or self enrolment
      3. VERIFY: both the password and enrolment key options are password fields NOT password unmask fields
      4. Ensure that putting incorrect enrolment keys/passwords in the fields does not allow you to get into the course
      5. Put in the correct guest access credentials (danlovesbeer) and ensure you are given guest access
      6. Press 'enrol me in this course'
      7. Enter the enrolment key 'andcurry' and ensure you are enrolled into the course
      Show
      Enable email delivery (e.g. using mailcatcher) Enable email-based self registration so that a user can register Create a course (enroltest) As admin in course Enable guest access in the course, set a guess acesss password to 'danlovesbeer' VERIFY: that the guest access password is a password unmask element (not a plain password field) Enable self enrollment in the course, set an enrolment key to 'andcurrys' VERIFY: the enrollment key is a password unmask element (not a plain password field) Logout On the login page use the 'create a new user' option to register a new user VERIFY: the registration form has password as plain password field Register the user Use the email you've been sent to to confirm the account Logout and login again verifying the password you set works Login as the user you registered and go to the course enroltest You should be presented with option to gain access to the course with guest access or self enrolment VERIFY: both the password and enrolment key options are password fields NOT password unmask fields Ensure that putting incorrect enrolment keys/passwords in the fields does not allow you to get into the course Put in the correct guest access credentials (danlovesbeer) and ensure you are given guest access Press 'enrol me in this course' Enter the enrolment key 'andcurry' and ensure you are enrolled into the course
    • Affected Branches:
      MOODLE_32_STABLE, MOODLE_33_STABLE, MOODLE_34_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE, MOODLE_33_STABLE
    • Pull Master Branch:
      MDL-57021-master-v2

      Description

      There are two aspects of this:

      1) Usability of the standard form fields (e.g. when empty, the usability to enter these fields is more annoying than past behaviour)
      2) Semantics, which are extremely important for why we reimplmeneted this password field. I think that the response to my whatwg thread says it well: https://lists.w3.org/Archives/Public/public-whatwg-archive/2014Oct/0041.html

      So, you're doing both of the following?

      • Using a password field for (sometimes) things that aren't passwords
      • Storing (potentially) sensitive data in the clear yourself, and sending
        it (again, in the clear) to other accounts/machines

      That is not the use case which was causing problems and we should not diminish our users security by using this field in all cases.

      The obvious problem here is that we've named the field 'passwordunmask', I think that we should rename it to shared secret and only appy it to fields which are actual shared secrets as they are the only security issue.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                4 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  10/Jul/17