Re: password problem with non-alphanumerics

<input type="hidden" name="old" value="%PASSWORD%">
<input type="hidden" name="new" value="%PASSWORD%">
<input type="hidden" name="new2" value="%PASSWORD%">
[download]

This is a little evil, especially if the page gets cached, or is history-browsable. View source, and there's your password.

Maybe it's not a big concern, but it's something to chew on. User Editor Page and clear text passwords has a discussion when it happened on perlmonks.

Humma la beeba la seeba la booba la
Humma la beeba la seeba la bop

Comment on Re: password problem with non-alphanumerics Download Code

Replies are listed 'Best First'.
Re: Re: password problem with non-alphanumerics by hmerrill (Friar) on May 07, 2004 at 13:50 UTC
I agree with "sporty" - although this wasn't the subject of your question, if you haven't already thought about this, you should think about encrypting your password before placing it in a form to be posted in a hidden field. If you are storing the user id's and passwords in a table (or file) one method would be to take the password the user entered and encrypt it, then store the encrypted password in the user table - then when the user wants to sign back in, take the password he/she enters and encrypt it, and compare that encrypted password to the encrypted password stored for that user id - if it matches, grant access.	[reply]
Re: Re: Re: password problem with non-alphanumerics by exussum0 (Vicar) on May 07, 2004 at 13:54 UTC
Amen. and if it can be taken a step further, never displayed the encrypted form either. 'cause some systems can suffer from playback vulnerabilities. Like encrypted cookies. Don't need to know the contents.. just need to have the key. Humma la beeba la seeba la booba la Humma la beeba la seeba la bop	[reply]