Password Is Not Hidden During Installation

nagolucky18 commented 11 months ago

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

12.3.0-rc

Bug summary

Admin user password is not hidden during admin credential setup step of Umbraco installation.

Specifics

The new admin user password is not hidden during admin credential setup of Umbraco installation, which may lead to unintended sharing of administrator password and consequently, compromise of new admin account.

This is because the HTML input is of text type and not password type in "user.html". Unless there is a specific reason that the input is of text type, HTML password input type should be used to ensure password is hidden when user inputs a value into the textbox.

Steps to reproduce

Install Umbraco for the first time.

Expected result / actual result

The new admin user password should be hidden while the user inputs values into the textbox.

admin_password_visible_during_install

github-actions[bot] commented 11 months ago

Hi there @nagolucky18!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
We'll replicate the issue to ensure that the problem is as described.
We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot :robot: :slightly_smiling_face:

mastrup commented 11 months ago

There is some reasoning on this old PR #3555 on why not to do it. In the end, the change was welcomed but never ported from v7 to v8.

Migaroez commented 11 months ago

Hey @mastrup thanks for the PR #h5yr!

umbraco / Umbraco-CMS