Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
 Back  |  Find  |  Login  |  Help 
icon4.gif   password encryption, posted by Alex H on Fri May 20 14:40:12 2005 password.gif
    icon4.gif   Re: password encryption, posted by Stefan Ritt on Fri May 27 14:48:05 2005 
       icon12.gif   Re: password encryption, posted by Alex H on Mon May 30 10:01:14 2005 
    icon2.gif   Re: password encryption, posted by Gary Clayson on Mon May 30 19:18:34 2005 
       icon2.gif   Re: password encryption, posted by Emiliano Gabrielli on Mon May 30 19:56:01 2005 
          icon2.gif   Re: password encryption, posted by Stefan Ritt on Mon May 30 20:16:11 2005 
             icon14.gif   Re: password encryption, posted by Alex H on Tue May 31 09:07:37 2005 
    icon2.gif   Re: password encryption, posted by Stefan Ritt on Sat Jun 4 14:00:17 2005 
Message ID: 1159     Entry time: Fri May 27 14:48:05 2005     In reply to: 1154     Reply to this: 1160
Icon: Warning  Author: Stefan Ritt  Author Email: stefan.ritt@psi.ch 
Category: Request  OS:   ELOG Version: 2.5.8-6 
Subject: Re: password encryption 

Alex H wrote:
Hi Stefan,

I have found a little problem with elog. I'am using ELOG V2.5.8-6. When I'am on the logon page,
I type my Login and password and hit "submit", in the bottom of IE, we can show my password without encryption, it can be dangerous. I have made a screenshot to explain my problem better.
Could you fix it for the next release ?
Thanks a lot.
Alex


Unfortunately there is no real way around that. If a password is entered into a text box, it is always transferred in plain text (which means that in security-sensive installations one should always use SSL together with elog). I encrypt it on the server side and do an immediate redirect which "hided" the plain password, but if your connection is slow, you might see it for a moment. Unless nobody has a clever idea of how to prevent this, we're out of luck.
ELOG V3.1.5-3fb85fa6