Login posts user name and password as clear text

Vote:
 

When using standard Episerver CMS login, the password and user name is posted as clear text.

To reproduce...

  1. Open Chrome and whip out Developer Tools and select the Network tab. Check Preserve log.
  2. Open your CMS site at /util/login.aspx and log on with your user credentials.
  3. Select the first login.aspx in the list of network traffic in Developer Tools and click the Headers tab.
  4. Locate form data at the bottom, to view your user name and password in clear text.

Any thoughts on this? Is it supposed to be like that?

#208115
Oct 14, 2019 15:42
Vote:
 

Wow, you just caught the bug in the system. I just noticed by reproducing it.

Don't know it was intentionally done or a mistake. But that's not good. Only Epi team can say anything about that. :)

#208118
Oct 14, 2019 15:55
Vote:
 

Short answer: yes. 

Long answer: you can try out with any website out there, and it'll be like that. Some websites try to "encrypt" the password, but it's only client-site encryption so it can be easily decrypted. The protection is on SSL - i.e. the connection is encrypted, not the data itself. 

#208120
Oct 14, 2019 16:13
Vote:
 

From facebook

#208122
Oct 14, 2019 16:16
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.