Page 1 of 1

Unrepopulated password fields

Posted: Sun Aug 27, 2006 4:47 pm
by Ollie Saunders
On the registeration for these very forums if you make a mistake the form is returned to you but the password fields are not repopulated with the password you entered. Why is this done?

Posted: Sun Aug 27, 2006 4:50 pm
by Ollie Saunders
dw I found out:
As mentioned in the article, password fields are usually blanked out after posting a form to the server and returning with errors. Although annoying, this is indeed done for your protection. When the form is posted to the server and then redisplayed, the password fields have to be repopulated just like any other field—this means writing the password in clear text to the html source. Password fields are displayed as asterisks, but the source data is written as plain text from the server. In fact, in signing up to ALA to post this remark, I tested the form and found this very issue! (Fill in a password field but leave another required field blank, submit the form, then view source.)

Now, what are the odds that I’ll submit the form, then leave my computer unlocked with the partially-submitted form visible so that someone could or would actually find my password? Probably slim. However, don’t forget that now that it’s been written in clear text to my browser, it’s also sitting in clear text in my browser cache as well (indeed, to verify this, I simply browsed to my browser cache folder, did a quick ‘search in files’ for the term ‘password,’ and voila – there’s my cached ALA form entry with my password as clear as day). Probably not a good thing if someone with this basic knowledge ever compromised my machine, especially since most people use the same password for many sites. For this reason, websites should generally never write passwords back to forms from the server (client-side validation does not have this issue, of course, since no data is ever written back to the form until the form contents leave the client).