This idea has been merged into another idea. To comment or vote on this idea, please visit DOMINO-I-276 Domino has no control on how browsers store username/passwords in the local cache of the broswer, it sending password in plain text to Server.

Re-design iNotes login page in such a way that passwords will not be shown as plaintext Merged

A customer's audit team has reported that when they use any Man-in-the-middle (MIM) tools such as Burp Suite tool, it shows the password entered on the login page as plain text.

Note that customer is already using TLS connection on HTTP with POST method which should tell us that the data being transported is encrypted and secured on both ends.

The customer wants the password field to be encrypted/hashed before the login credentials is POSTed to Domino server even with a TLS connection so the MIM wouldn't see a clear text password.

We also noted that with SAML with an IDP that provides this functionality, this can be achieved. But customer likes to see this addressed in the core domino product.

Admin

Thomas Hampel

Reply
| Oct 6, 2021

Rejecting this idea because it will not add any kind of additional security.
If the connection between client and server can not be trusted (e.g. a MTM was able to break into the TLS secured channel) then you can also NOT trust any javascript nor any encryption algorithm that was added to the site. Trying to obscure the password is pointless in this case and will not improve security.

0 reply Hide replies

Please enter your email address

RELATED IDEAS

Re-design iNotes login page in such a way that passwords will not be shown as plaintext Merged