Textmode Password

rit01 · March 13th, 2006, 08:22 AM

Hi All

As part of a system I have developed I have a function the enables the user to update their username and password for the site. Basically it pulls their current username and password from the user DB into 2 text fields and then they can alter and update... simple!

The problem I have just encountered is that when you set the password field's textmode to PASSWORD it doesn't show the current password as '*******'. Is it possible to load the current password as I wanted to let the use alter either fields and not both every time.?

Warm Regards

Rit

jbenson001 · March 13th, 2006, 04:29 PM

What does it show? And what do you mean by?

Quote:

quote:
Is it possible to load the current password as I wanted to let the use alter either fields and not both every time.?

rit01 · March 13th, 2006, 04:37 PM

Sorry Jim, I didn't make myself clear did I. Doh!

Basically what I was expecting the password field to do is load up with the users current password hidden behind asterisks so that if they could update the username field without having to retype the password.

At the moment with PASSWORD selected as the textmode for the password field, if they want to update just their username they have to retype their password too as the PASSWORD texmode stops their current password from loading up.

jbenson001 · March 13th, 2006, 05:37 PM

If have never tried to load text into a password type textbox, but I am guessing is's proabaly by design for security purposes.

rit01 · March 13th, 2006, 05:40 PM

No worries, I suppose its there for a good reason.

Thanks anyway!

Rit

Imar · March 13th, 2006, 06:14 PM

Yeah, I agree. It's a security feature, and probably there for a good reason. However, it's also pretty easy to circumvent. Instead of assigning the password to the Text property, you can manually override the attribute "value", like this:

txtPassword.Attributes.Add("value", "The Old Password");

But, like you said: it's there for a good reason. With this trick, you'll be sending down a password in clear text where it can be cached. In fact, you actually shouldn't have the clear text password available on the server in the first place.

A common practice is to not update the password when the field is blank. This requires some explanation to the user, but it might be worth it.

HtH,

Imar
---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.

rit01 · March 14th, 2006, 05:11 PM

Thanks Imar,

Rit

theanimation · December 13th, 2006, 11:59 AM

This thread has been helpful to me.

What I ended up doing was

Code:

txtPassword.Attributes.Add("value", "~~~~");

so that four astericks would show up in the field.

Then when the user goes to save the account, it only updates the password if

Code:

txtPassword.Text != "~~~~"

This way, it is clear to the user that a password exists, the password is not sent to the page, and the password can be updated.

(the only flaw might be that no one can use the password "~~~~")