HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Add a new idea Subscribe
Status No Plans to Implement
Workspace Domino
Categories Security
Created by Guest
Created on Sep 10, 2018

RELATED IDEAS

Domino has no control on how browsers store username/passwords in the local cache of the broswer, it sending password in plain text to Server

SPR #RKUR8VXDYM

Domino has no control on how browsers store username/passwords in the local cache of the browser.

Using customise login page created in inotes.nsf and this is set in Domcfg.nsf. Both the Username & password fields are set with enable encryption for this field option in field properties. Also have SHA2 certificate for application but are still getting password in plain text at application layer & while sending it to server and with memory reading tool such as Winhex. It is getting in plain text through
browsers developer option too.

image1.png
image1.png
Open full size
image1.png
  • Attach files
  • Admin
    Thomas Hampel
    Reply
    |     Oct 2, 2021

    You are trying to prevent the user from storing its password?
    Which means the user will have to type the password every time?
    Which causes passwords to be less secure because a user will need to remember it, and cant use password managers?

    Maybe you are trying to say that the browser or the computer that is being used can not be trusted? If so, its a bad idea to rely on a javascript that will be executed by the browser/computer in question.

  • Guest
    Reply
    |     Dec 17, 2020

    If we see the banks website, where we provide username and password, then browser can only store dummy password because the field somehow gets encrypted before browser can store it. So on a bank's website, browser cannot store real password. May be it is encrypted at page level and later the server further decrypts it. So browser can't understand what is real password.

  • Admin
    Thomas Hampel
    Reply
    |     Dec 16, 2020

    This is not a bug and not a problem.

    Just look at any other website, where the behaviour is exactly the same. The browser will have to send the username and password to the server. Communication is encrypted on transport layer (SSL/TLS) but the content has to be sent in clear.

4 MERGED

Re-design iNotes login page in such a way that passwords will not be shown as plaintext

Merged
A customer's audit team has reported that when they use any Man-in-the-middle (MIM) tools such as Burp Suite tool, it shows the password entered on the login page as plain text. Note that customer is already using TLS connection on HTTP with POST ...
over 2 years ago in Domino / Templates 1 No Plans to Implement
Copyright © 2023 HCL Technologies Limited