How bad are usernames and passwords stored in hidden form fields?

Question

Suppose you've got a webapp that's passing usernames and passwords around in hidden form fields.

I know it's a very bad idea, but I'm interested in enumerating why... any thoughts?

update - This is a hypothetical question.

I couldn't find a resource that just enumerated the reasons - I know of plenty of reasons why it's a bad idea, I'm looking to see if there are any other reasons I haven't thought of and create that resource I was looking for. Thanks!

Answer 1

A number of reasons why it is a poor idea:

1) As pointed out, if you view source, inspect element, or anything similar, then the username/password is easily discovered.

2) Unless your transport layer is encrypted, they will be easily intercepted.

3) If the browser caches your html page, then that file with a username/password is now stored on that person's computer.

4) If that user saves the page to give to someone else, then their username/password goes with that page.

5) A POST method accidentally gets changed to a GET, now the password and username is stored in the server access logs....

Etc, etc.

There is no real reason to do it in my opinion, especially when you can use session cookies on the server, or some other method that doesn't expose private information to the client.

Edit: Come to think of it, I have done this once before. I put a password in a hidden field, however before doing so I encrypted it with a secret key known only to the server before printing it out, and then when I got the password posted back to the server, I decrypted it. Therefore the plaintext password is never with the client.

Edit 2: Should probably point out that the method described in the previous edit was not used for directly authenticating someone, as per hobbs point.

Answer 2

It's so easy for anyone with access to the current page ( might not necessarily be the same person who log into your application) to view the html source and get the user name and password.

If I log into my gmail, and leave my desk, and you come in and you can see all my email messages. But no matter what you can't see my gmail password. But if gmail passes the password around in hidden field format, then you can see my gmail password.