yahoo-eng-team team mailing list archive

[Lin Hua Cheng <1400872@xxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:


Horizon allows the password field to be displayed in plain text. This introduces a potential security risk.  Imagine a user leaving their desktop unlock, if the user saved their password on the browser, a malicious user could go into the Login page and display the Openstack password.

The show password feature should be made configurable for operators who
wants a more secure deployment of Horizon.

** Affects: horizon
     Importance: High
     Assignee: Cindy Lu (clu-m)
         Status: Confirmed


** Tags: security

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1400872

Title:
  Show password feature should be configurable

Status in OpenStack Dashboard (Horizon):
  Confirmed

Bug description:
  
  Horizon allows the password field to be displayed in plain text. This introduces a potential security risk.  Imagine a user leaving their desktop unlock, if the user saved their password on the browser, a malicious user could go into the Login page and display the Openstack password.

  The show password feature should be made configurable for operators
  who wants a more secure deployment of Horizon.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1400872/+subscriptions