What are the risks with making the password field in a php form display the password a user enters in clear text? Normally password fields in php show an asterisk so you cannot view the password your typing, but I do NOT want the asterisk to show, I want the password to be displayed in clear text.
How do I do this and what are the risks? Asterisks do not encrypt the password do they?, so it only makes the password being entered not visible right?
Also, on my cellphone when i enter a password on a website's login form, when i press a letter it is displayed for 1 second then it turns into an asterisk. Any way to do this with php or javascript/ajax?
Also, is it possible to display a user's partial password if they use a "forgot password" feature in php? Like if a user's password was 12345a, is it possible that if they click "forgot password" that it could display their partial password like 123xxx ?
Posted by Cmafai, 01-24-2010, 12:40 AM
The risk is simply that if someone comes back to the users computer while they are away, their browser might remember the password and another person could just read it. Same situation with someone just watching the person type the password or something. In any event its a bad idea and makes many users less comfortable using your site. But, if you really want to do it, just have your HTML look like this:
instead of
The "name" attribute could be whatever you want...
You could do this. It might be a tad annoying, but you can probably find a nice script with some Googling. You'd need to capture each keystroke with JavaScript and save what they've typed, but then put in an asterisk after each keystroke as well.
You'd have to store the partial password in a database. Hopefully you'd encrypt that heavily so that if anyone got access to your database they wouldn't get part of everyone's password...
Overall, this is a horrible idea and is very insecure so I strongly recommend you don't do anything you've described in your post.
Posted by tim2718281, 01-24-2010, 09:22 AM
You may as well just include on the web site a list of userids together with the first few characters of their passwords.
But generally, you don't want the server to store users' passwords.
Instead, the server code encrypts the plain-text password with a one-way cipher, and stores the result of that. The idea is that it is computationally infeasibly to obtain the plain-text password from the encrypted form.
When the user logs in, they give their password, the server encrypts it, and checks if the result matches the encrypted form stored in the server's database.
But the server cannot tell the user what the user's password is, because the server does not have a plain-text copy.
Posted by Dr:linux, 01-26-2010, 03:03 AM
This is the html code for displaying clear text in password field. For test use that in your any of your .html files.
N.B This is only the code for displaying a clear text password.
Posted by mattle, 01-26-2010, 11:43 AM
Um...I think you're missing some function definitions.
Posted by 4umfreak, 01-26-2010, 12:44 PM
cmafi made a very good point here that didn't get the emphasis it deserved.
>The risk is simply that if someone comes back to the users computer while
>they are away, their browser might remember the password and another
>person could just read it.
Browsers are very good at remembering what you typed into webforms. They recognize that password fields should not be cached and reused next time you visit that form. In your case the browser wouldn't know it was a password and will cache these values for future visits to the same page...
All-in-all, it's a horrible idea. Let it go.
Posted by acenetbrian, 01-26-2010, 03:30 PM
Using a "password" text form field isn't going to make the password any more or less secure other than what it seems the implications would be at face value.
[1] The asterisks prevent over-the-shoulder reading of the password
[2] The asterisks prevent discovering the password through the browser's BACK feature
But, if the individual is having their browser "remember" the password for them it's entirely moot. The browser will will store those "remembered" passwords in plain text in its own little "database" of stored logins. That is, at least I know that IE, Firefox, and Chrome save them in plain text.
So, the protection that the asterisk field provides is extremely limited at best. Don't rely on it for more security than it actually is. It's just "over the shoulder" password hunting protection. Still, I would always prefer to use it than to use a regular text field.
As for storing passwords in plain text, a bad idea all around. We've actually made custom changes to our billing system (ModernBill) to prevent it from storing passwords in plain text. It does this by default. Frankly, that's scary. Most people would go out of their way to remove any plain text stored passwords, not the other way around.
Make sure the client has a quick and easy method to have their password reset on request. It's a much better option to generate a new password for a client who has forgotten their password than to start storing plain text passwords somewherewhere (even if only partial).
The client can (and should) immediately change the password after their reset anyway. After all, the newly reset password would have arrived to them via email (plain text).
Posted by Host Ahead, 01-26-2010, 08:54 PM
I agree with everyone else here, don't do it! It might seem like it would increase the usablity of your website, but the security issue is more important.
Compare it with your door, it would be so much easier not locking it every time you leave your house and losing your keys etcetera... but in the end you really want to keep your door locked.
Considering this, there's one thing you can do to make it slightly less vurnerable and that is adding the attribute autocomplete="off" to your textbox ie:
This will make sure that whenever a user enters this textbox he will not see suggestions from the past. If you want to make it better you can make sure the name-attribute is something very uncommon (like a GUID or so). This is because the browser checks for the name-attribute to make suggestions. If you name it email for example, the browser will suggest this value for every textbox it encounters with the name attribute set to email.
So, to conclude, I would say, DON'T!
Posted by Master Bo, 01-27-2010, 07:18 AM
I think that possible security-related problems would negate the idea to display passwords in clear text. There will be no guaranteed means to prevent the browser from remembering the typed-in password.
There are a number of script and approaches to make password input more useful, e.g. Chroma Hash
Posted by Driver01, 01-27-2010, 09:09 AM
As a few have said it is important to remember this is not necessarily a security issue server-side, more so for your users, client-side. If your thinking of your users by doing this then I would say don't, if the browser caches the password or someone see's there password then the issue is becomes your problem in the fact you have unauthorised user access to your site. All of your questions have the same sort of issue, ask yourself are you willing to sacrifice security for usability.? maybe even more importantly ask your members would they be happy for you to make it easier for them to use your site but it would be less secure then normal.?
Personally I am someone that enters my passwords in everytime I visit and I clear the cache after I visit a site thats important. As for the site I use I expect them to do all they can in order to protect my information.
Posted by NoSupportLinuxHostin, 01-27-2010, 01:36 PM
The biggest problem with clear text password fields is in public labs, such as a library or college computer room. It is hard to protect against people looking over each others' shoulders in a public lab.
Posted by TDS-chriss, 01-30-2010, 05:22 PM
Why?
Knowing the reasons behind your thinking might lead to suggestions of more practical alternatives.
Posted by The Lax Forums, 01-31-2010, 10:54 PM
This worked for me thanks. I wanted to do this a while ago and couldn't find it anywhere it just makes signing in easier for members.
Posted by kjsrs, 01-31-2010, 11:49 PM
FWIW, I immediately leave any site that has me enter my password into a text field instead of a password field. To me, it shows that the site designer doesn't know what they are doing when it comes to security.
Posted by wdaher, 02-18-2010, 02:20 AM
Agreed -- it's surprising behavior, which is also something you want to avoid when putting together a website.
