|
 |
aspx thread: RE: Password field...
Message #1 by Sam Clohesy <sam@e...> on Wed, 17 Apr 2002 08:59:44 +0100
|
|
Hi, anyone know how to prepopulate a password text field with ***** (but
they will actually be the users password)?
We are trying to complete an 'update your details page' and the framework
does not seem to to allow pre-population of password boxes. (I may be wrong
on this point)
Any pointers would be much appreciated
Thanks
Sam
Message #2 by "Chris Kersey" <ckersey@m...> on Wed, 17 Apr 2002 09:52:39 -0700
|
|
a password field is the same as an input field with the type set to password
(<input type=password ...>) so you would set the value property equal to the
password. The password style input field fills in the **** for you when
you type in the password, or when you prepopulate the value of the control.
I wouldn't prepopulate the password value field however, if you're concerned
*at all* about security, because the value field.... <input type=password
value=mypassword>... will be visible to anyone who views the source of the
html page.
Instead, I would give the users the ability to change their existing
password (without *ever* presenting their current password back to them).
This is because you can't be certain that the someone you are presenting the
password to is in fact the person who created the password in the first
place. Even if the password looks like this **** in the password field, you
can still view the html source and see under the hood <input type="password"
value="someonestealmypassword">.
It would be bad if someone logged in, walked away from their computer, and
someone else walked up and then changed the user's password, thereby locking
them out of their own application. So even if the user is logged in, I
wouldn't allow the password to be changed without supplying the current
password.
Is that what you mean ?
Chris
----- Original Message -----
From: "Sam Clohesy" <sam@e...>
To: "ASP+" <aspx@p...>
Sent: Wednesday, April 17, 2002 12:59 AM
Subject: [aspx] RE: Password field...
> Hi, anyone know how to prepopulate a password text field with ***** (but
> they will actually be the users password)?
>
> We are trying to complete an 'update your details page' and the framework
> does not seem to to allow pre-population of password boxes. (I may be
wrong
> on this point)
>
> Any pointers would be much appreciated
>
> Thanks
>
> Sam
>
>
Message #3 by Sam Clohesy <sam@e...> on Wed, 17 Apr 2002 18:12:05 +0100
|
|
Hi Chris, thanks for getting back to me.
Thats kinda what I mean except it it going to be for an 'update your
details' page so the user will have logged in , the client wants to have an
encrypted password ***** which the user can change. At the present time I
have been unable to give a password text box a value, for example:
If Not IsDBNull(myReader.Item("Password")) Then
Password.Text = myReader.Item("Password")
ConfirmPassword.Text = myReader.Item("Password")
Else
Password.Text = ""
End If
However my (<asp:textbox id="Password" runat="server" size="25" text="text"
textMode="password"></asp:textbox>) password fields are always blank.
We have are validating between the fields and the user has logged in already
so we may avooud writing a custom web control e.g
myReader["Password"].ToString etc
Any suggestions much apprecitated
Ta
Sam
-----Original Message-----
From: Chris Kersey [mailto:ckersey@m...]
Sent: 17 April 2002 17:53
To: ASP+
Subject: [aspx] RE: Password field...
a password field is the same as an input field with the type set to password
(<input type=password ...>) so you would set the value property equal to the
password. The password style input field fills in the **** for you when
you type in the password, or when you prepopulate the value of the control.
I wouldn't prepopulate the password value field however, if you're concerned
*at all* about security, because the value field.... <input type=password
value=mypassword>... will be visible to anyone who views the source of the
html page.
Instead, I would give the users the ability to change their existing
password (without *ever* presenting their current password back to them).
This is because you can't be certain that the someone you are presenting the
password to is in fact the person who created the password in the first
place. Even if the password looks like this **** in the password field, you
can still view the html source and see under the hood <input type="password"
value="someonestealmypassword">.
It would be bad if someone logged in, walked away from their computer, and
someone else walked up and then changed the user's password, thereby locking
them out of their own application. So even if the user is logged in, I
wouldn't allow the password to be changed without supplying the current
password.
Is that what you mean ?
Chris
----- Original Message -----
From: "Sam Clohesy" <sam@e...>
To: "ASP+" <aspx@p...>
Sent: Wednesday, April 17, 2002 12:59 AM
Subject: [aspx] RE: Password field...
> Hi, anyone know how to prepopulate a password text field with ***** (but
> they will actually be the users password)?
>
> We are trying to complete an 'update your details page' and the framework
> does not seem to to allow pre-population of password boxes. (I may be
wrong
> on this point)
>
> Any pointers would be much appreciated
>
> Thanks
>
> Sam
>
>
Message #4 by "Chris Kersey" <ckersey@m...> on Wed, 17 Apr 2002 10:44:16 -0700
|
|
In my opinion, the <input type="Password" value="stealmenow"> field was
flawed in that it *allowed* you to set the value. It would appear that .NET
has re-visited this in their form control for the password field. It
properly does not maintain its state when you do a post back, and for the
same reason, it does not allow you to prepopulate it with any values.
Someone can correct me on this if I'm wrong, but it makes complete sense to
the security weary programmer.
If you want to "hack" it, you'll have to go back to using the standard html
input field and set its type to password because it does allow you to
pre-populate.
*or*, if you want to get to tricky (not advisable, but what the hay...), you
can use a javascript to populate the password field "after the form has
loaded" <body
onload="Javascript:PrepopulateMyPasswordField('<%=GetMyPassword();%>');">.
In your javascript, just do some inline .aspx <%=output password to
inputfieldId Here from the database%> and you'll get the same type of
result.... but because the <%= is there, the person can still view source
and happily see the password sitting there in the javascript routine.
<body
onload="Javascript:PrepopulateMyPasswordField('Stealmestealmestealme');">
So really what I would do is go back to my client and explain to them why it
is *bad* to pre-populate password fields .. even if they are encrypted.
1. If the user steps away, someone can walk up, enter a new password, press
submit and then go merrily home to hack hack hack.
2. If the user views source and "sees" the password, the user can re-use it
because I'm willing to bet that more than 50% of users use the *same*
password for EVERYTHING.
3. If the company decides to hire a security specialist to see how the
application holds up to a "best practices" test, you'll wind up re-writing
the logic on your Update page.
Bottom line is that *only users* should know their passwords. Not system
admins, database admins, or a hack viewing the source on your update page.
Best way to avoid the latter is to not make it available at all.
Chris
----- Original Message -----
From: "Sam Clohesy" <sam@e...>
To: "ASP+" <aspx@p...>
Sent: Wednesday, April 17, 2002 10:12 AM
Subject: [aspx] RE: Password field...
> Hi Chris, thanks for getting back to me.
> Thats kinda what I mean except it it going to be for an 'update your
> details' page so the user will have logged in , the client wants to have
an
> encrypted password ***** which the user can change. At the present time I
> have been unable to give a password text box a value, for example:
>
> If Not IsDBNull(myReader.Item("Password")) Then
>
> Password.Text = myReader.Item("Password")
> ConfirmPassword.Text = myReader.Item("Password")
> Else
> Password.Text = ""
> End If
>
> However my (<asp:textbox id="Password" runat="server" size="25"
text="text"
> textMode="password"></asp:textbox>) password fields are always blank.
>
> We have are validating between the fields and the user has logged in
already
> so we may avooud writing a custom web control e.g
>
> myReader["Password"].ToString etc
>
> Any suggestions much apprecitated
>
> Ta
>
> Sam
>
>
> -----Original Message-----
> From: Chris Kersey [mailto:ckersey@m...]
> Sent: 17 April 2002 17:53
> To: ASP+
> Subject: [aspx] RE: Password field...
>
>
> a password field is the same as an input field with the type set to
password
> (<input type=password ...>) so you would set the value property equal to
the
> password. The password style input field fills in the **** for you when
> you type in the password, or when you prepopulate the value of the
control.
>
> I wouldn't prepopulate the password value field however, if you're
concerned
> *at all* about security, because the value field.... <input type=password
> value=mypassword>... will be visible to anyone who views the source of the
> html page.
>
> Instead, I would give the users the ability to change their existing
> password (without *ever* presenting their current password back to them).
> This is because you can't be certain that the someone you are presenting
the
> password to is in fact the person who created the password in the first
> place. Even if the password looks like this **** in the password field,
you
> can still view the html source and see under the hood <input
type="password"
> value="someonestealmypassword">.
>
> It would be bad if someone logged in, walked away from their computer, and
> someone else walked up and then changed the user's password, thereby
locking
> them out of their own application. So even if the user is logged in, I
> wouldn't allow the password to be changed without supplying the current
> password.
>
> Is that what you mean ?
>
> Chris
>
>
> ----- Original Message -----
> From: "Sam Clohesy" <sam@e...>
> To: "ASP+" <aspx@p...>
> Sent: Wednesday, April 17, 2002 12:59 AM
> Subject: [aspx] RE: Password field...
>
>
> > Hi, anyone know how to prepopulate a password text field with ***** (but
> > they will actually be the users password)?
> >
> > We are trying to complete an 'update your details page' and the
framework
> > does not seem to to allow pre-population of password boxes. (I may be
> wrong
> > on this point)
> >
> > Any pointers would be much appreciated
> >
> > Thanks
> >
> > Sam
> >
> >
>
>
>
>
Message #5 by Sam Clohesy <sam@e...> on Wed, 17 Apr 2002 18:59:04 +0100
|
|
Hi Chris thanks for this it is really useful
Sam
-----Original Message-----
From: Chris Kersey [mailto:ckersey@m...]
Sent: 17 April 2002 18:44
To: ASP+
Subject: [aspx] RE: Password field...
In my opinion, the <input type="Password" value="stealmenow"> field was
flawed in that it *allowed* you to set the value. It would appear that .NET
has re-visited this in their form control for the password field. It
properly does not maintain its state when you do a post back, and for the
same reason, it does not allow you to prepopulate it with any values.
Someone can correct me on this if I'm wrong, but it makes complete sense to
the security weary programmer.
If you want to "hack" it, you'll have to go back to using the standard html
input field and set its type to password because it does allow you to
pre-populate.
*or*, if you want to get to tricky (not advisable, but what the hay...), you
can use a javascript to populate the password field "after the form has
loaded" <body
onload="Javascript:PrepopulateMyPasswordField('<%=GetMyPassword();%>');">.
In your javascript, just do some inline .aspx <%=output password to
inputfieldId Here from the database%> and you'll get the same type of
result.... but because the <%= is there, the person can still view source
and happily see the password sitting there in the javascript routine.
<body
onload="Javascript:PrepopulateMyPasswordField('Stealmestealmestealme');">
So really what I would do is go back to my client and explain to them why it
is *bad* to pre-populate password fields .. even if they are encrypted.
1. If the user steps away, someone can walk up, enter a new password, press
submit and then go merrily home to hack hack hack.
2. If the user views source and "sees" the password, the user can re-use it
because I'm willing to bet that more than 50% of users use the *same*
password for EVERYTHING.
3. If the company decides to hire a security specialist to see how the
application holds up to a "best practices" test, you'll wind up re-writing
the logic on your Update page.
Bottom line is that *only users* should know their passwords. Not system
admins, database admins, or a hack viewing the source on your update page.
Best way to avoid the latter is to not make it available at all.
Chris
----- Original Message -----
From: "Sam Clohesy" <sam@e...>
To: "ASP+" <aspx@p...>
Sent: Wednesday, April 17, 2002 10:12 AM
Subject: [aspx] RE: Password field...
> Hi Chris, thanks for getting back to me.
> Thats kinda what I mean except it it going to be for an 'update your
> details' page so the user will have logged in , the client wants to have
an
> encrypted password ***** which the user can change. At the present time I
> have been unable to give a password text box a value, for example:
>
> If Not IsDBNull(myReader.Item("Password")) Then
>
> Password.Text = myReader.Item("Password")
> ConfirmPassword.Text = myReader.Item("Password")
> Else
> Password.Text = ""
> End If
>
> However my (<asp:textbox id="Password" runat="server" size="25"
text="text"
> textMode="password"></asp:textbox>) password fields are always blank.
>
> We have are validating between the fields and the user has logged in
already
> so we may avooud writing a custom web control e.g
>
> myReader["Password"].ToString etc
>
> Any suggestions much apprecitated
>
> Ta
>
> Sam
>
>
> -----Original Message-----
> From: Chris Kersey [mailto:ckersey@m...]
> Sent: 17 April 2002 17:53
> To: ASP+
> Subject: [aspx] RE: Password field...
>
>
> a password field is the same as an input field with the type set to
password
> (<input type=password ...>) so you would set the value property equal to
the
> password. The password style input field fills in the **** for you when
> you type in the password, or when you prepopulate the value of the
control.
>
> I wouldn't prepopulate the password value field however, if you're
concerned
> *at all* about security, because the value field.... <input type=password
> value=mypassword>... will be visible to anyone who views the source of the
> html page.
>
> Instead, I would give the users the ability to change their existing
> password (without *ever* presenting their current password back to them).
> This is because you can't be certain that the someone you are presenting
the
> password to is in fact the person who created the password in the first
> place. Even if the password looks like this **** in the password field,
you
> can still view the html source and see under the hood <input
type="password"
> value="someonestealmypassword">.
>
> It would be bad if someone logged in, walked away from their computer, and
> someone else walked up and then changed the user's password, thereby
locking
> them out of their own application. So even if the user is logged in, I
> wouldn't allow the password to be changed without supplying the current
> password.
>
> Is that what you mean ?
>
> Chris
>
>
> ----- Original Message -----
> From: "Sam Clohesy" <sam@e...>
> To: "ASP+" <aspx@p...>
> Sent: Wednesday, April 17, 2002 12:59 AM
> Subject: [aspx] RE: Password field...
>
>
> > Hi, anyone know how to prepopulate a password text field with ***** (but
> > they will actually be the users password)?
> >
> > We are trying to complete an 'update your details page' and the
framework
> > does not seem to to allow pre-population of password boxes. (I may be
> wrong
> > on this point)
> >
> > Any pointers would be much appreciated
> >
> > Thanks
> >
> > Sam
> >
> >
>
>
>
>
|
|
|
View Cart
