Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Will re-populating a password field in a form be a security issue?

Tags:

html

security

I am wondering if I should re-populate the (masked) password field in a form when other fields don't validate. I have seen both on the web where the form would either:

  1. re-populate the masked password field
  2. empty the password field, so the user needs to put it in again (even though it was valid)

What is your best practice? Does re-populating the password field indicate a security hole? Usability-wise I would prefer to re-populate the field and not have the user re-enter it.

like image 200
Frank Avatar asked Jan 23 '11 15:01

Frank

People also ask

What is the purpose of password field in form?

<input> elements of type password provide a way for the user to securely enter a password. The element is presented as a one-line plain text editor control in which the text is obscured so that it cannot be read, usually by replacing each character with a symbol such as the asterisk ("*") or a dot ("•").

Do you need a Confirm password field?

Many think the confirm password field is necessary to include when creating a password. This is because a password field masks the user's input. If users mistype their password, they won't recognize it. The confirm password catches typos by prompting users to type their password twice.

How will you create a password field in a HTML form?

To take password input in HTML form, use the <input> tag with type attribute as a password. This is also a single-line text input but it masks the character as soon as a user enters it.

How do you change a character's password in HTML?

You can't change the password masking character in the standard password field. You can fake it with a textbox, but it makes for a weak security model because you don't get the protection you do from the password textbox.

1 Answers

One option if you want to do this, is not actually send the password plain-text, but a random token. Since it's a password field, the user won't be able to tell (except for the length). Then, store the hashed password and token in the session. When the user submits the form, if the password field is the same as the stored token, use the stored password hash. Otherwise use the submitted password. This solves the cache issues (Since the random token will have no meaning in requests by other sessions). That way you never need to store or transmit the raw password after the initial form submission...

like image 117
ircmaxell Avatar answered Sep 21 '22 16:09

ircmaxell
Sign in to Comment

Related questions

Using AJAX to change div content - how do I display navigation as hash / anchor
getElementById in Polymer element
safari doesn't play .ogg files, so how does it work on wiktionary.org?
Setting an id on an element created from a template element
How do I achieve negative padding in CSS?
How can I get an access token Spotify API?
Based on internet connection change color of button to green or grey
Shrink flexbox container to content size [duplicate]
Angular 4 refresh <img src={{ ... }} > when the value changes
How to remove hover effect from Bootstrap button?
Border after each row in CSS Grid
Disable a link in angular 2+
Use v-model with a checkbox when v-for is used with properties of an object
Is there a way to get the parent URL from an Iframe's content?
Are fully qualified CSS styles efficient?
Looping HTML5 audio on the iPhone
Insert HTML into a page with AJAX
Different types of browser storage
localStorage and locking
Is there a SelectedIndex for an HTML5 DataList?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!