[wp-trac] [WordPress Trac] #55228: Provide Option to Remove Password Visibility Button and Dashicons from WordPress' Login Form
WordPress Trac
noreply at wordpress.org
Wed Feb 23 02:41:33 UTC 2022
#55228: Provide Option to Remove Password Visibility Button and Dashicons from
WordPress' Login Form
-------------------------------+------------------------------
Reporter: generosus | Owner: (none)
Type: feature request | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: 5.9.1
Severity: normal | Resolution:
Keywords: 2nd-opinion close | Focuses:
-------------------------------+------------------------------
Changes (by dd32):
* keywords: dev-feedback 2nd-opinion => 2nd-opinion close
Comment:
> A website Administrator goes to his/her WordPress login page and login
form is auto-filled by the browser but the "Log In" button is never
clicked.
If a browser is prefilling the password, an attacker can gain access to
the data within the password field relatively fast even without the button
[https://cloudup.com/cf1M0orAXqF (I just timed it at 10seconds without
using the button)]. Physical access and choosing to use a password-manager
which auto-fills is an instant situation where nothing WordPress does will
'protect' the user.
This seems like plugin territory to me, if a site owner wishes to disable
this functionality then doing so through a plugin seems like the best
option to me.
It's also against the WordPress philosophy of
[https://wordpress.org/about/philosophy/#decisions Decisions, not
options].
I'm adding `close` here to signify that I think this should be closed as
`wontfix` but that `2nd-opinion` from others is still warranted.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55228#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list