I have to hide the length of the password being entered during login of my asp.net web application. I know the asp.net textbox server control has the textmode of password but I can't even show the that. Any suggestions on how to hide the user input?
A:
If you must (which I agree with @Ando that you shouldn't due to UI issues), I would use javascript (onkeydown) to copy each character to a hidden input field, and remove the key entered in the box.
This would allow you to retrieve the password on postback, while keeping the input field empty for the user.
Of course, if the user presses arrow keys, delete or backspace, you would have to decide how to handle that.
Hiding the length of the input seems like a really really bad UI idea from the users perspective, and you should argue that the specification should be changed.
Mikael Svenson
2010-04-24 19:16:26
I completely agree with each of your responses. However, this is a corporate policy that is currently listed as "Preferred" and not "Mandatory". I would also be willing to argue the specification due to creating more work for the admins in regards to resetting locked user accounts and resetting passwords. Either way, I just thought I would throw the question out there and see if there was any other way to do this without using Javascript and a hidden field. I was thinking of doing an Ajax update panel and saving it to memory on the textbox textchanged event. Thoughts??
Corin
2010-04-24 19:25:41
Sure you could use Ajax, and handle the key presses in some user specific variable on the server side instead of using a hidden field. Same logic, different storage. To me a javascript solution would be easier to implement, but they would both do the same thing.
Mikael Svenson
2010-04-24 19:35:19
My issue with using Javascript and storing in a hidden field is the user viewing the source of the page and seeing it. Though I could disable right click but the option in the menu would still be there.
Corin
2010-04-24 20:12:40
A lot of on-line banks use java applets (though they show dots for each character). This would prevent view source. As would flash and silverlight. Your task now is to implement it and wait for users to complain ;)
Mikael Svenson
2010-04-24 20:20:40
I can't even show the dots. I can't provide any feedback to the enduser while they are entering their password.
Corin
2010-04-24 20:36:41
Of course the option is to pad the entry while the user is typing and use some images on the side of the login that changes on each key that is pressed, i.e. Lotus Notes anyone.
Corin
2010-04-24 20:39:54
Using a changing image when the user enters the password is a good idea. Let's the user see that something is happening. Combine that with either a hidden field, javascript variable or ajax call for each letter and you should have a first solution to present in your project.
Mikael Svenson
2010-04-25 08:48:30
A:
While, I also agree with everyone else that is a bad idea I understand that some times you have to do things you disagree with.
I would have suggested what Mikael did but he already did it. :)
To recap:
I would use javascript (onkeydown) to copy each character to a hidden input field, and remove the key entered in the box.
This would allow you to retrieve the password on postback, while keeping the input field empty for the user.
Of course, if the user presses arrow keys, delete or backspace, you would have to decide how to handle that.
You've said:
My issue with using Javascript and storing in a hidden field is the user viewing the source of the page and seeing it.
I'm pretty sure that viewing the source should only show you what was originally downloaded not what the user has entered. However, there are tools (i.e. firefox addons) that can do this. You could store the value in a javascript varible and only put the password in the hidden field when it is posted or use some sore of ajax request to authenticate. However, With the right addons someone could find this as well.
If the issue is someone looking over the shoulder of the person logging in then these concerns (i.e. viewing source) won't matter unless the person who is logging in decides to view the source and show the person in which case it would just be easier for him to tell the other person his password.
drs9222
2010-04-25 04:56:39
+1
A:
<input type="password" name="password" style="color:White;"/>
seems close to your requirement but some browsers highlight input fields with yellow when you are in them. Setting the font size to 1px is another trick you could try.
But easiest might be to instead use z-index to put an image or colored DIV on top of the password field. Maybe an animated gif with a line of * characters that grows and shrinks randomly would be best - would totally confuse onlookers! :-)
How the user even knows the field is selected is another issue you'll have, maybe some extra javascript to detect and tell them that.
Hightechrider
2010-04-25 06:02:31
I think some browsers will show the cursor blinking in the field. Not sure if you can turn this off by changing the color.
Mikael Svenson
2010-04-25 08:46:44
A:
Agreeing that its not the best idea...
1) When you start typing, on each key press, restrict a specific character from being entred as part of a password (eg pipe) then when the user types, add a ramdom number of pipes (eg between 0 and 4 pipes) then just remove these server-side?
2) Add these to a hidden field...if the user does a View_Source, they will only see the original value of the field, ie will be empty...just remember to clear the value if you need to depending on how its rendered (asp.net webform hidden field control) etc
3) Have 2 password boxes that need 2 passwords (just as bad an idea)
Mark Redman
2010-04-25 07:59:41
A:
I confirmed the requirement with a security officer and apparently I miss read the requirement. However, I have seen Windows based applicatiosn perform this. The cursor moves on each key stroke but no star, asterik or bar is used. Thanks to everyone for theie suggestions and comments.
Corin
2010-04-30 10:18:41