Topic: SMTP Password

Settings > Email - SMTP password

Should this field be password type?

Re: SMTP Password

No, since you need to see the password to know what it is and know if it's typed incorrectly.

Re: SMTP Password

Should it?

"Programming is like sex: one mistake and you have to support it for the rest of your life."

4

Re: SMTP Password

If one were in pedant mode, the answer would definitely be yes. big_smile A dual input and compare scenario as in the profile/registration password setup would work for finding typo's.

Re: SMTP Password

MattF wrote:

If one were in pedant mode, the answer would definitely be yes. big_smile A dual input and compare scenario as in the profile/registration password setup would work for finding typo's.

Except when you go to send emails and it doesn't work wink

6

Re: SMTP Password

Was trying to think of a subtle way of saying this but failed. big_smile Any muppet who can enter an incorrect password exactly the same twice is pretty much begging for things not to work properly. big_smile

Re: SMTP Password

It's certainly possible: I've typed my password in incorrectly several times in a row before. I made several typos in the process of writing up this post, as a matter of fact. tongue

8

Re: SMTP Password

Can we have it just for chuckle value then? big_smile

Re: SMTP Password

The problem is also that it adds little in the way of security. How often do you change your admin options (specifically the SMTP settings) when someone is looking over your shoulder? That's the only situation where it helps: every other case does nothing because a person can look in the source of the page or directly in the database.

10

Re: SMTP Password

I understand what you mean. It does seem overkill in theory for what should be a one time operation. I just happen to be from the old style camp where security is concerned. Every little helps. Only if it drastically restricts ease of use would I generally err on the side of ease, where possible.

Re: SMTP Password

It provides the illusion of security, and that can be harmful as well wink

12

Re: SMTP Password

Must admit, there are beneficial factors for both hashed and clear. At the end of the day though, it is down to you chaps on the Dev team to decide which way it goes. smile If anyone is insistent on it being hashed, they can easily alter the code themselves on their own installation. smile Or, you could have a hash/no-hash toggle option, to please both camps. big_smile

Re: SMTP Password

It's not hashing, that would be impossible. It's changing the field from a plain text field to a password field, which would keep the password from being shown in the input field. It won't stop admins from viewing the source of the page and seeing the password. It won't stop people with access to the database from seeing the password. It will simply keep someone from looking over your shoulder at your screen (rather than at your keyboard) as you type it in. And the cost is that it's not as easy for you to tell whether or not you have entered your password correctly wink

14

Re: SMTP Password

I just said hashing 'cos I couldn't think of the proper term offhand. It wasn't intended implicitly. smile Either way, I'm easy. The final decision belongs to you and the other Dev's. smile

Re: SMTP Password

OK, I just wanted to make sure you weren't getting the wrong idea. wink
Personally, it doesn't matter to me: I'm aware of the implications of putting details there and changing it to a password field would change nothing for me. The question really is, as you said earlier, whether or not any gain in security we get offsets any loss of usability.