Just looked at this feature and noticed it gives away the last character of your pass... WHY?!?

i don't like having even one of my password letters on display and ALOT of people put numbers at the end of their password this could spell the difference between someone guessing and not guessing your pass. Just don't think its a good idea at all and also gives away the length of your pass. Fair enough you have to be in the acp or db to view it in the first place and be a root admin from my tests but i still don't like it.

http://forums.invisionpower.com/index.php?...mp;bug_cat_id=4

still sucks :P

i agree with jaggi VERY BAD idea

i shall bee removing this from my install as soon as i go live

I think it's a good idea as you can see which password they used and should be left as it is.

I also think this is a good idea, it help you to see if the password they tried was similar to your own etc.

This is a good thing. Some thing needed for a while I think.

Just looked at this feature and noticed it gives away the last character of your pass... WHY?!?

i don't like having even one of my password letters on display and ALOT of people put numbers at the end of their password this could spell the difference between someone guessing and not guessing your pass. Just don't think its a good idea at all and also gives away the length of your pass. Fair enough you have to be in the acp or db to view it in the first place and be a root admin from my tests but i still don't like it.

The Administrator Control Panel is meant to be a place for people you can trust--especially as far as Root Admins. If you don't trust those people, they shouldn't be there.

Ultimately if you think someone else can guess your password by the last number, then your password is too weak and you should change it.

The Administrator Control Panel is meant to be a place for people you can trust--especially as far as Root Admins. If you don't trust those people, they shouldn't be there.

This feature has nothing to do with your other admins. The idea is if your site is hacked, and someone logs into your ACP, by showing one character you can instantly tell if they used YOUR password, or if they somehow changed your password to something else.

It's one character - as Matt said, if you can guess your password from 1 character, it's too weak as it is.

Its a double edged sword.
If your password is admin or password then you had it.

The only + point is that it will tell you what password your hacker friend used to login.

BUT if the hacker is smart enough, he will destroy the logs, if not the forum.
Its no big deal to know what password hacker used to login in admin cp.

In the long run I think this is not a good idea to give the cat a clue as to where to start backwards to try ur password.
If you ask can it be a vulnerability or not, i would say yes it is

It's not a vulnerability - that's just being alarmist.

It's no different to having all but the last 4 digits of your credit card number hidden (**** **** **** 4367) on a receipt or statement.

Like I said before, if you think that your password could be guessed if someone knew the last character of your password, then you should really change it.

If it helps, my password shows in the logs as: ************4.

Go crack.

I had once challanged some guy online that my site is secure and he couldnt
do anything about it. And after 2days all my sites were hacked with a greeting
from him. And my password was not easy one to.

I had once challanged some guy online that my site is secure and he couldnt

do anything about it. And after 2days all my sites were hacked with a greeting

from him. And my password was not easy one to.

Mods?
Keylogger?
Social Engineering?

I know people who have lost passwords to EVERYTHING, and claimed it was all mighty 'hackers' :P

just so you know I HATE that your last 4 digits show on cc's :P.

and my pass is a mixture of numbers and caps all the way through so doubt anyone could hack it and i change it more or less monthly. Just didn't like the feature and thought i'd see other people thought.

It's not a vulnerability - that's just being alarmist.

It's no different to having all but the last 4 digits of your credit card number hidden (**** **** **** 4367) on a receipt or statement.

Like I said before, if you think that your password could be guessed if someone knew the last character of your password, then you should really change it.

If it helps, my password shows in the logs as: ************4.

Go crack.

Is that your credit card number also? :shifty:

Is that your credit card number also? :shifty:

Quick use it to give me some of his money.