Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Status No Plans to Implement
Workspace Domino
Categories Templates
Created by Guest
Created on Oct 6, 2021
Merged idea
This idea has been merged into another idea. To comment or vote on this idea, please visit DOMINO-I-276 Domino has no control on how browsers store username/passwords in the local cache of the broswer, it sending password in plain text to Server.

Re-design iNotes login page in such a way that passwords will not be shown as plaintext Merged

A customer's audit team has reported that when they use any Man-in-the-middle (MIM) tools such as Burp Suite tool, it shows the password entered on the login page as plain text.

Note that customer is already using TLS connection on HTTP with POST method which should tell us that the data being transported is encrypted and secured on both ends.


The customer wants the password field to be encrypted/hashed before the login credentials is POSTed to Domino server even with a TLS connection so the MIM wouldn't see a clear text password.


We also noted that with SAML with an IDP that provides this functionality, this can be achieved. But customer likes to see this addressed in the core domino product.

  • Admin
    Thomas Hampel
    Reply
    |
    Oct 6, 2021

    Rejecting this idea because it will not add any kind of additional security.

    If the connection between client and server can not be trusted (e.g. a MTM was able to break into the TLS secured channel) then you can also NOT trust any javascript nor any encryption algorithm that was added to the site. Trying to obscure the password is pointless in this case and will not improve security.