#dominoforever | Product Ideas Portal

 

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

 

Merged idea

This idea has been merged into another idea. To comment or vote on this idea, please visit DOMINO-I-276 Domino has no control on how browsers store username/passwords in the local cache of the broswer, it sending password in plain text to Server.

Re-design iNotes login page in such a way that passwords will not be shown as plaintext Merged

A customer's audit team has reported that when they use any Man-in-the-middle (MIM) tools such as Burp Suite tool, it shows the password entered on the login page as plain text.

Note that customer is already using TLS connection on HTTP with POST method which should tell us that the data being transported is encrypted and secured on both ends.


The customer wants the password field to be encrypted/hashed before the login credentials is POSTed to Domino server even with a TLS connection so the MIM wouldn't see a clear text password.


We also noted that with SAML with an IDP that provides this functionality, this can be achieved. But customer likes to see this addressed in the core domino product.

  • Guest
  • Oct 6 2021
  • No Plans to Implement
  • Admin
    Thomas Hampel commented
    6 Oct, 2021 07:59pm

    Rejecting this idea because it will not add any kind of additional security.

    If the connection between client and server can not be trusted (e.g. a MTM was able to break into the TLS secured channel) then you can also NOT trust any javascript nor any encryption algorithm that was added to the site. Trying to obscure the password is pointless in this case and will not improve security.