API key field shows current user's password

[talksina]

API key is correctly typed and saved in the blog's database, in fact WordPress interacts with SubClub regularly. But in the site's interface, the "api key" field populates itself with the user's password and, pressing "show" to see current API key, you see the user's password instead.

[bnolens]

Thanks for reporting this. We're looking into this. I'm trying to reproduce this issue but am currently unable to do so. Because WordPress only stores a hashed version of your password, this could be related to a password manager you're using in your browser. Do you have the same issue if you disable all password managers (maybe by using an anonymous window in your browser)?

[talksina]

I confirm it: whenever it finds a password manager it finds the first saved password found for that domain (but it should not treat it as a password!) The only suggestion I could give you is to have it as a text field in both case but if "show" is on it displays the extended key. Or if it's hidden it shows asterisks. Be patient, being not a coder but just an accessibility tester, I can't give you solutions on how to get rid of password managers for protectable fields. I just know I've seen it in other places, such as plugins' license keys, and hide/show worked, with a field with input type "password" when it was hidden (as it should be). As soon as I get back to the plugin behaving like this, I might give you the contact to ask them how they managed this. But I can't promise anything. Or at the most, I can ask to my co-workers who are devs.