#dominoforever | Product Ideas Portal

 

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Domino has no control on how browsers store username/passwords in the local cache of the broswer, it sending password in plain text to Server

SPR #RKUR8VXDYM

Domino has no control on how browsers store username/passwords in the local cache of the browser.

Using customise login page created in inotes.nsf and this is set in Domcfg.nsf. Both the Username & password fields are set with enable encryption for this field option in field properties. Also have SHA2 certificate for application but are still getting password in plain text at application layer & while sending it to server and with memory reading tool such as Winhex. It is getting in plain text through
browsers developer option too.

  • Guest
  • Sep 10 2018
  • Rejected
  • Attach files
  • Admin
    Thomas Hampel commented
    2 Oct 10:14am

    You are trying to prevent the user from storing its password?
    Which means the user will have to type the password every time?
    Which causes passwords to be less secure because a user will need to remember it, and cant use password managers?

    Maybe you are trying to say that the browser or the computer that is being used can not be trusted? If so, its a bad idea to rely on a javascript that will be executed by the browser/computer in question.

  • Guest commented
    17 Dec, 2020 03:51am

    If we see the banks website, where we provide username and password, then browser can only store dummy password because the field somehow gets encrypted before browser can store it. So on a bank's website, browser cannot store real password. May be it is encrypted at page level and later the server further decrypts it. So browser can't understand what is real password.

  • Admin
    Thomas Hampel commented
    16 Dec, 2020 10:05pm

    This is not a bug and not a problem.

    Just look at any other website, where the behaviour is exactly the same. The browser will have to send the username and password to the server. Communication is encrypted on transport layer (SSL/TLS) but the content has to be sent in clear.