Signup form doesn't mask passwords

[SierraAR]

http://sierrabrown.me/ss/phggq97.jpg

The signup form on the front page of x10vps.com doesn't mask the password fields with asterisks (***). This is a bit of a security issue for public areas or people with nosey 'friends'.

[GtoXic]

Yeah, I can confirm this, tested in FF, Chrome and IE.

[bdistler]

just received my password by Email as "plaintext" - not nice

I confirm the signup form shows the password as "plaintext" - not nice

I assume from the above my password is stored unencrypted (same as "plaintext") by x10hosting

[leafypiggy]

just received my password by Email as "plaintext" - not nice

I confirm the signup form shows the password as "plaintext" - not nice

I assume from the above my password is stored unencrypted (same as "plaintext") by x10hosting

Without looking at the code, I couldn't say for sure, but I'm willing to bet your password is hashed in our database. Just because you receive an email with your password doesn't mean the password's being stored in cleartext (Correct wording, it's not plaintext). It's as simple as setting a separate variable with the stored password for email, or simple sending the email before hashing. As for the confirmation page - it's probably in the get params (or it's a cookie)

[essellar]

Password masking should only ever be an option (or at the very least, there should be an option to render clear text). Y'all folks ought to keep up on security best practices—the object of the game is to encourage passwords with high entropy (longer is better, regardless of the complexity of the character pattern) and that results in greater opportunities for typos. Password masking tends to encourage simpler/shorter passwords.

Emailing clear text passwords is generally a bad idea no matter how the password is actually stored in the login system (and one would hope that it's at least stored as a salted hash with a high work factor; preferable is both salt and pepper)—email systems are rarely as secure as one would like, and an email program (or a webmail page) is one of those things that's likely to be left open for an extended period of time.

[Bryon]

I assume from the above my password is stored unencrypted (same as "plaintext") by x10hosting

You know what they say about assumptions..

[Corey]

Just to clarify on somethings...

I've never agreed with the masking password field thing on registration, it doesn't change the way it is stored\submitted on the server... only causes inconvenience for the user. Apparently it's to prevent shoulder peeping? As it is a simple change I'll go ahead and enable it.

With that said, I understand the email issue... personally I change my passwords anytime I get it via email whether it's reset\registration, etc. But I understand not everyone does what I do, so I'll fix that so passwords are no longer emailed and if someone 'forgets' the email clearly tells them to login and change it immediately. If I have time I'll force a password change upon login from a reset.

Passwords are encrypted in all of our systems, it was very difficult to do encryption with the VPN setup due to radius but it is done. Overall I think the way we handle things in general between all the systems\sites we have is very secure compared to the industry norm.