Masking password from user in HTML Webforms.

views:

187

answers:

Masking password from user in HTML Webforms.

I'm working on a weblog application in php and javascript. I use windows live ID for authentication. The user needs to provide a password for windows live writer because live writer can't use live id.

I want to enable the user to edit his password in an html webform. although the password is typed into a password field showing only *, the value is clearly visible inside the html. Are there any ways to hide or mask the password in the html? I can't use a type old/ type new password principle because the password is not required. Any ideas?

+3 A:

If they can't see anything but "*" characters, they can't edit the existing password, so don't bother setting the value of that input field. Just let them type in a new one from scratch.

Also, serve the password change form and the POSTed response over HTTPS, not HTTP, to secure the new value.

Nat 2009-05-26 20:08:07

You're right. I'm thinking way to complex about this. I'm making a mountain out of a molehill.

Sorskoot 2009-05-26 20:11:53

In most applications, the password is unable to be returned to the user for them to edit it. I, and most security-minded programmers, hash their passwords so that there is no possible way to come up with the original password, the applications just store the hash. When someone logs into the site, they take the password provided, hash it, and compare it to the stored hash to see if it matches. This virtually guarantees that the user's password can not be stolen via SQL Injection.

Daniel 2009-05-26 20:55:17

depends on who wants to steal it and how hard he wants that, hashs of simple passwords are relatively easy and fast to crack

Flo 2009-07-10 14:20:38

ansaurus

tags:

views:

answers:

Masking password from user in HTML Webforms.

related questions