Problem with Password TextMode

  • Thread starter Thread starter Jonathan Dienst
  • Start date Start date
J

Jonathan Dienst

I have a simple data access and administration page for
user details on my site, including a login password --
but I cannot get the textbox to work properly if the
TextMode is set to "Password".

The user details are modified in making a hidden table
with textboxes visible -- in response an edit command
from the datagrid. One of the textboxes is used for the
user's password. If this textbox has the attribute
TextMode="SingleLine" (ie the default) in the HTML,
everything works fine.

If I change the HTML to say TextMode="Password", the
textbox comes up blank when modifying the record, even
though debugging the code behind confirms that the
password was successfully retrieved and entered into the
textbox's Text property.

What gives?
 
Sending the password in plain text to the browser is a bad idea from a
security standpoint so the default security settings discourage it.
(Anybody can do a view source for the page
and see the password)

However there is a workaround. You must set the password text via
clientside script.
Here's the simplest example I've seen:

MyPWTextBox.Attributes.Add("value", strPassword)

This server side code outputs the needed client side code
 
It seems to me that this is exactly the point. If you editing password you
don't want it to be presented on the screen where other people may see it
over your shoulder...
 
Thanks Steve - that sorted the problem out.

This particular app is designed to run over an intranet
and does not contain any really sensitive information, so
the security requirements are modest.

In those cases where the security requirements are more
sever, what is the recommended way of allowing the users
to modify their passwords for a web app?

Regards
Jonathan Dienst
 
Well the standard approach would be something like this:

Enter Old Password:
*******

Enter New Password:
*******

Confirm New Password:
*******

You would normally never want to display their password on the screen if it
can be avoided.
If they forget their password you can email it to them and/or generate a new
password for them.
Secret Question & Answer pairs are an alternate way to authenticate someone
if they forget their password.
Of course the subject of security is deep. There are entire books written
on the subject.
Here's more info for you:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch03.asp

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
Hire top-notch developers at http://www.able-consulting.com
 
Back
Top