views:

84

answers:

3

OK I see a lot of people asking about passing other values, URLS, random stuff through a URL, but don't find anything about sending a password to a password field.

Here is my situation:

I have a ton of sites I use on a daily basis with my work and oh about 90% require logins. Obviously remembering 80 bajillion logins for each site is dumb, especially when there are more than one user name I use for each site. So to make life easier, I drew up a nifty JSP app that stores all of my logins in a DB table and creates a user interface for the specific page I want to visit. Each page has a button that sends a username, password into the id parameters of the html inputs.

Problem:

I can get the usernames and other info to show up just dandy, but when I try and send a password to a password field, it seems that nothing gets received by the page I'm trying to hit.

Is there some ninja stuff I need to be doing here or is it just not easily possible?

Basically this is what I do now:

http://addresshere/support?loginname=steveoooo&loginpass=passwordhere

and some of my html looks like this:

<form name="userform" method="post" action="index.jsp" > 
    <input type="hidden" name="submit_login" value="y"> 
    <table width="100%"> 
        <tr class="main"> 
            <td width="100" nowrap>Username:</td> 
            <td><input type="text" name="loginname" value="" size="30" maxlength="64"></td> 
        </tr> 
        <tr class="main"> 
            <td>Password: </font></td> 
            <td><input type="password" name="loginpass" value="" size="30" maxlength="64"></td> 
        </tr> 
        <tr class="main"> 
            <td><center><input type="submit" name="submit" value="Login"></center></td> 
        </tr> 
    </table> 
</form>

Any suggestions?

+1  A: 

Steven,

AFAIK, most browsers will not pass POST or GET data to prefill a form field with type=password, as it really just makes things even easier for bots. Further, most sites will protect against this. When you see it prefilled, it's usually your browser saving the password client-side and then filling the password for you - this information never goes out over the net. Hopefully you understand the security implications of sending your username and password in plaintext on a request to a remote server.

Since what's built into browsers already doesn't seem to be doing the job for you (password access from multiple computers, perhaps?) what you're more likely looking for is a browser extension that supports storing those passwords for you and will do the insertion via JS or something client-side. Not endorsing any particular product, but here's an example: https://addons.mozilla.org/en-US/firefox/addon/8542. This of course means your passwords are stored on someone else's servers, though, which may be something you want to avoid.

If you want or need total control of that data, another product you might look at is keepass (which I use as a DB stored on a USB key for not only web sites, but passwords for just about everything I have): http://www.keepass.info

AvatarKava
Fixed busted link - that'll teach me to spell properly :)
AvatarKava
A: 

Most browsers have a built-in feature, or an extension to remember passwords for you, so there's no need to roll your own.

Additionally, trying to send your passwords in GET variables is a bad idea -- your password will be saved in your browsing history in plain text and most likely in several server logs scattered around the internet.

Carson Myers
Well I'm not password protecting buried treasure here obviously. TPIW.
Steven Wright
A: 

You should probably look into using KeePass or a similar password-manager program. Sending your full login info in the clear as part of a URL is a really bad idea, there are various points along the line that someone else would be able to access it.

Chad Birch