Password is shown in plaintext when creating new Database User
ISPConfig 3.1b1
When creating a new Database User, the user's password is shown in plaintext.
In the underlying markup, this field has type="database_password"
, instead of type="password"
, so the field's contents are visible (instead of obfuscated with dots).
Given that the Repeat Password
field just below is obfuscated, this seems like a bug.
That said, it makes sense that the user is able to see a generated password. Perhaps the ideal behavior would be to obfuscate the password by default, and only if the user clicks the "Generate Password" button should the value be displayed. If the user modifies the field's contents after generating a password, the value should perhaps again be obfuscated.
UPDATE: This is exactly how the password fields function on the Add New Mailbox page; the same behavior should be replicated here.