Problem/Motivation

The password field in Webform for Drupal 8 presents opportunities for misuse. While it provides an HTML password input type, Webform appears to save the data as plaintext in the database. Many Drupal site builders and content editors who can create Webforms may have the illusion that it is secure. See this discussion: https://stackoverflow.com/questions/48918876/drupal-webform-saving-passw....

Quicksketch had numerous comments about why he did not add password fields in the Webform D7 issue queue:
https://www.drupal.org/project/issues/webform?text=password+field&status...

Reasons for removal:

  • Data not stored encrypted
  • We cannot be sure of the webform builder's intent for the password field, so it is hard to provide the field with advisement on usage
  • Due to complexities of field encryption, this might be a task we as a community recommend developers implement in custom code vs. making it too easy to create an security issue (without review) in the site building realm

Proposed resolution

  • Remove the password field - I am not sure how to best handle since users are using this field. Would want some discussion on that aspect.
  • Move the password field to a separate contrib module that requires something like https://www.drupal.org/project/webform_encrypt, which utilizes https://www.drupal.org/project/encrypt. Thanks to DamienMcKenna for this suggestion.
  • Add associated documentation and details in Webform and related contrib modules (if implemented) detailing security concerns and proper/recommended implementations.

Comments

shrop created an issue. See original summary.

shrop’s picture

Issue summary: View changes
shrop’s picture

Issue summary: View changes
jrockowitz’s picture

Yes, people might assume that the password element is secure by default. I think we need to provide a warning to site builders that passwords are stored as plain text.

I don't think we should remove the password element because there are sites that do not store any data in Drupal and push their data to a remote CRM. There are also some sites that are using a webform to create a Drupal user account and might need to collect a password.

How about we add a warning message to the password element that warns users that submitted passwords are stored as plain text and recommend that they install the Webform Encrypt module.

I would also be open to defaulting all new installations of the Webform module to have the password element disabled by default with a warning displayed when it is enabled. (@see /admin/structure/webform/config/elements)

jrockowitz’s picture

Title: Consider removing the password field » Disable the password field
Assigned: Unassigned » jrockowitz
jrockowitz’s picture

Status: Active » Needs review
StatusFileSize
new4.96 KB

The below notes can be used for the change record.

Summary

  • Disable password and the password_confirm element for new installations.
  • Disable password and password_confirm element on existing installations that are not using these elements.
  • Add warning message to all enabled password elements. (/admin/structure/webform/config/elements)
  • Add warning to all password elements that are stored in the database.
  • Remove password and password elements from webform_examples.module

Notes

  • Recommending people use the Webform Encrypt module.
  • The Webform Encrypt module is still in Alpha release, so we are not trying to determine when it is enabled or disable for a password element.
  • Any element type that included the word password is going to be flagged.

Status: Needs review » Needs work

The last submitted patch, 6: 2947991-6.patch, failed testing. View results
- codesniffer_fixes.patch Interdiff of automated coding standards fixes only.

jrockowitz’s picture

Status: Needs work » Needs review
StatusFileSize
new6.28 KB

  • jrockowitz committed 68754d7 on 8.x-5.x
    Issue #2947991 by jrockowitz: Disable the password field
    
jrockowitz’s picture

Status: Needs review » Fixed

I committed the patch. Please download the latest dev release to review.

shrop’s picture

I will take a look! Thanks for working to improve this for clarity to site builders.

I like the solution :)

adriancid’s picture

@jrockowitz I have a doubt here:

+++ b/includes/webform.install.update.inc
+  // If password element is not being used in any webform display both the
		+  // password and password_confirm element.
		+  if (!$has_password_element) {
		+    $admin_config = \Drupal::configFactory()->getEditable('webform.settings');
		+    $excluded_elements = $admin_config->get('element.excluded_elements') ?: [];
		+    $excluded_elements['password'] = 'password';
		+    $excluded_elements['password_confirm'] = 'password_confirm';
		+  }
		+}
		+

Here I can't see the use of $excluded_elements is an error or I'm missing something here?

jrockowitz’s picture

Status: Fixed » Needs review
StatusFileSize
new569 bytes

@adriancid You are absolutely right. Thanks for catching that.

adriancid’s picture

I think that you need to add another webform update function because some users maybe have the webform_update_8110() update on their sites, so to apply the changes another update is needed.

  • jrockowitz committed b2a99e7 on 8.x-5.x
    Issue #2947991 by jrockowitz, shrop, adriancid: Disable the password...
jrockowitz’s picture

Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

damondt’s picture

There are use cases acceptable both in terms of security and morality (not storing in db and sending encrypted to endpoint via handler for instance). It's not terribly time consuming to sidestep if you're familiar with the module and discovered this issue, but I'm unsure if I agree with the decision. Technical ability doesn't imply morality, so the decision is whether to make work for technical users in order to prevent unintentional misuse.