Topic: SMTP Password
Settings > Email - SMTP password
Should this field be password type?
Re: SMTP Password
No, since you need to see the password to know what it is and know if it's typed incorrectly.
Re: SMTP Password
Should it?
"Programming is like sex: one mistake and you have to support it for the rest of your life."
Re: SMTP Password
If one were in pedant mode, the answer would definitely be yes. 
A dual input and compare scenario as in the profile/registration password setup would work for finding typo's.
Re: SMTP Password
MattF wrote:
If one were in pedant mode, the answer would definitely be yes.
Except when you go to send emails and it doesn't work 
Re: SMTP Password
Was trying to think of a subtle way of saying this but failed. Any muppet who can enter an incorrect password exactly the same twice is pretty much begging for things not to work properly.
Re: SMTP Password
It's certainly possible: I've typed my password in incorrectly several times in a row before. I made several typos in the process of writing up this post, as a matter of fact. 
Re: SMTP Password
The problem is also that it adds little in the way of security. How often do you change your admin options (specifically the SMTP settings) when someone is looking over your shoulder? That's the only situation where it helps: every other case does nothing because a person can look in the source of the page or directly in the database.
Re: SMTP Password
I understand what you mean. It does seem overkill in theory for what should be a one time operation. I just happen to be from the old style camp where security is concerned. Every little helps. Only if it drastically restricts ease of use would I generally err on the side of ease, where possible.
Re: SMTP Password
It provides the illusion of security, and that can be harmful as well
Re: SMTP Password
Must admit, there are beneficial factors for both hashed and clear. At the end of the day though, it is down to you chaps on the Dev team to decide which way it goes. 
If anyone is insistent on it being hashed, they can easily alter the code themselves on their own installation. Or, you could have a hash/no-hash toggle option, to please both camps.
Re: SMTP Password
It's not hashing, that would be impossible. It's changing the field from a plain text field to a password field, which would keep the password from being shown in the input field. It won't stop admins from viewing the source of the page and seeing the password. It won't stop people with access to the database from seeing the password. It will simply keep someone from looking over your shoulder at your screen (rather than at your keyboard) as you type it in. And the cost is that it's not as easy for you to tell whether or not you have entered your password correctly
Re: SMTP Password
I just said hashing 'cos I couldn't think of the proper term offhand. It wasn't intended implicitly. Either way, I'm easy. The final decision belongs to you and the other Dev's.
Re: SMTP Password
OK, I just wanted to make sure you weren't getting the wrong idea.
Personally, it doesn't matter to me: I'm aware of the implications of putting details there and changing it to a password field would change nothing for me. The question really is, as you said earlier, whether or not any gain in security we get offsets any loss of usability.