Bug 50846 – Reset password module - do not allow Form AutoFill for password

Bug 50846 - Reset password module - do not allow Form AutoFill for password


Summary:	Reset password module - do not allow Form AutoFill for password

Status:	NEW

Product:	UCS@school
Classification:	Unclassified
Component:	UMC - Password reset
Version:	UCS@school 4.4
Hardware:	Other other

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS@school maintainers
QA Contact:

URL:
Keywords:

Depends on:	47646 49099
Blocks:
	Show dependency tree / graph

Reported:	2020-02-20 15:23 CET by Michael Grandjean
Modified:	2020-03-24 11:56 CET (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.137
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	External feedback, Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Grandjean

2020-02-20 15:23:33 CET

By default, most browsers will store text that a user entered in a form field and will try to autofill forms or at least offer the previously entered texts later on. 

This should be prevented for the password field. Otherwise the browser will suggest passwords that have been entered before (e.g. passwords of other students)

+++ This bug was initially created as a clone of Bug #47646 +++

This is based on customer feedback:

Currently, if a teacher/school-admin uses the "Passwords (students/teachers)" module, the password is shown in clear text and readable for everyone looking at the screen.

Suggested improvement: Mask the entered password (********), but also add an option to toggle between visible and masked. Android/iOS-Frameworks usually use an eye icon for this.