back to

Passwords in type="text" input

Is there a good reason why phpList uses type=“text” instead of type=“password” for submitting the admin’s password when initializing the database on a fresh install?

I just did a fresh install of the most recent phpList v3.5.1, and I was surprised to see it showing me my own password. Indeed, it uses the “text” input type instead of “password”. If it were “password”, then my browser would know to handle it more carefully, such as obfuscating the characters of my password as astericks (*) instead of displaying them on my screen, visible to the shoulder surfer next to me…

Is there anywhere else in the code base where passwords are input as type=“text”? Is there a good reason why this was done? If not, would you be open to changing it/them to type=“password”?

Thank you,
Michael Altfield

1 Like

Noticed this strange using but I don’t know why :wink: probably lack of time, isn’t?