HTTP 500 password plain text

Well, its more that its really easy to forget to reset debug messages. But as said its not a big deal, just a nice to have feature… And password in plain text in these data security time, is always an issue…

If someone has physical access to your pc, smart phone, tablet or whatever you have lost in any case. An attacker could install some spyware on your device, reset passwords, set up a wifi sniffer, etc. There a lot of possible attack vectors, so IMO it’s not worth to add an additional setting.

1 Like

I think we are talking not about issue and solution.
In my opinion on password should be used strong one way hashing function with salt.
Even to store password locally should be used “hash and salt”. Password should never be visible after registration.

This makes sense for the server, but not for the client. The client would have to send the hash to the server and at that point the hash is the new “password”.

In that case, password is in plain text on device and sent to server via https and stored as hash on server side?

Correct

Would be better to hash password on device if it is shown on UI.