Statelog prints passwords in console

[tkriplean]

The diff on current_user save prints out the user's password in the clear.

e.g.

o client0.save('current_user') .login_as = {"name":"Travis","pass”:”mypassword”} [client01f]

[toomim]

I understand that rails hides user passwords from the default server log, but we haven't figured out what our server should do.

I see two design decisions that lead to the current behavior:

• The statelog shows all state changes, w/o filtering particular fields
• The statelog is enabled for client busses by default on the server

What are the problems with including user passwords?

• An admin watching the console can read user's passwords as they log in
  • which the user might share across other websites, giving the admin access to those sites
  • which might be embarrassing
• An admin might save the default server log to a file
  • Then if someone hacks the server, they can access unsalted passwords

That's the state of my thought. I'm open to what we should do.

[karth295]

Does the server need to store the plaintext password at all? The server could store a hash of the password instead. But that doesn’t work for password recovery. I use the email/password I logged into considerit with for most things, so I feel silly now :).

[toomim]

@karth295 The server does not store plaintext passwords. This issue is only about it printing passwords in the console.log debugging output, if the user has bus.honk != false, which is the default. This console output is not stored anywhere.

The server stores only a salted bcrypt hash of each password. The debugging output is printed when the password is received by the server over the network, before it has been hashed.

Another approach is to hash the passwords on the client instead of the server. Then the server would never even see the raw password. I originally implemented it that way, and could look into my notes to remember why I gave up on doing it.