Prior to Release 6, the HTTP Password was completely hidden from view in the Domino Directory when users had the documents open in the “Read only” mode. The “hashed” password would only be displayed if the document was opened in for editing.
While the passwords (for the most part) still appear as “hashed”, there is some level of concern that these shouldn’t be displayed when casually browsing thorugh the Directory, with the concern being that this is not built on any type of encryption, and given time could be un-encoded.
It would be real nice to have this field’s data hidden unless opened for editing, like it was before.
Thanks!
Subject: Could we get the HTTP Password hidden again?
How is hiding it in read mode a security measure? It’s still available via the docuemnt properties, no?
Cheers!
Luke
Subject: RE: Could we get the HTTP Password hidden again?
The concern is about casual users being able to view it, not overall access to the information.
Many/most people (after several years of using the product) don’t know, or need to know how to view document properties. Those same people, however, frequently use the “Address” button on new memos and will click on the “Details” button to make sure they have the right person. The HTTP password shows there, since the form’s design isn’t hiding the field.
Subject: Could we get the HTTP Password hidden again?
“[T]his is not built on any type of encryption”? Are you joking? Any message decode based on nothing more than brute force (no prior knowledge of the algorithm) requires a sufficiently long message to find patterns. In other words, while it may require a 512-bit public/private key system to encode long documents securely, a password doesn’t qualify. Especially when one considers that passwords should be relatively “unguessable” to begin with. I’d rather it remain the way it is now – I can tell at a glance whether the reason a user can’t access the web site is because he hasn’t set his internet password yet. The “old” way meant using the document properties or putting the person doc into edit mode just to verify the existence of a password.