Obfusicate the LOTW Password in the pop up

Discussion in 'Suggestions and New Feature Requests' started by AD7PL, Mar 26, 2020.

Tags:
ad: L-HROutlet
ad: l-rl
ad: Subscribe
ad: L-MFJ
ad: Left-3
ad: Left-2
ad: FBNews-1
  1. AD7PL

    AD7PL XML Subscriber QRZ Page

    Hello QRZ Team, I had a feature request that I think would be very beneficial for a few security reasons.

    When downloading a LOTW log you can type in your LOTW password and its all visible:

    (not my real password)
    upload_2020-3-26_9-11-42.png



    Since it looks like you are creating a JS pop up this could simply be obfuscated by changing input type to password rather than string/text.

    Also upon looking at network logs I see you are passing on browser in plain text, so the password window is just one step.

    I would reccomend though also making this query not visible to browser even with the site transmitting in HTTPS we still see the full details on users browser:

    https://logbook.qrz.com/?op=lotw_get_all&bid=123456789&lotw_pw=Hunter2@&sbook=0


    Thanks for everything else you have done with the site, this is just something I see as a security concern :)
     
  2. N2IPH

    N2IPH Premium Subscriber QRZ Page

    Can you include the option to save the pword so I don't have to enter it each time. Or will that come by default when(if) the input type is changed to password.
     
  3. PB7RS

    PB7RS Ham Member QRZ Page

    This new password popup for LoTW dowloads makes the browser want to update the password which it stored for my QRZ account. If I would accept this password update then the browser would overwrite the QRZ login password with the LoTW password, which is different. So I have to refuse the password update suggestion every time I download from LoTW. If I would say never store password, it would remove the QRZ password.
    I understand that this is browser behavior and that qrz can't really be blamed but is there maybe a workaround??
     
  4. N2IPH

    N2IPH Premium Subscriber QRZ Page

    I am seeing the same behavior on other sites so I think it's a MS-Edge (are you using Edge or some other browser) browser problem not QRZ.
    I'm using the Edge beta which is Chrome-based and under the skin more or less the same as Google Chrome browser, they share the same roots.

    I've reported it back to MS using the feedback option in the browser. Anyone else who is having the same issue should also report it so they can gauge the severity of the problem and respond accordingly.
     
  5. PB7RS

    PB7RS Ham Member QRZ Page

    I'm using Firefox, latest version, under Win 10. Google Chrome has the same problem. They link a password to a website but not to a specific page under that website. So each website can only have 1 password.
    I could use the same password for LoTW and QRZ to fix this but QRZ uses a proper 2 stage authentication where the password for LoTW is treated far less secure. I don't want to compromize my qrz password this way.
     
    N2IPH likes this.

Share This Page