简体繁体 English

在HTML Webforms中屏蔽用户的密码

[英]Masking password from user in HTML Webforms

原文 2009-05-26 19:59:15 4 2 html/ webforms/ passwords

I'm working on a weblog application in php and javascript. 我正在使用php和javascript开发Weblog应用程序。 I use windows live ID for authentication. 我使用Windows Live ID进行身份验证。 The user needs to provide a password for windows live writer because live writer can't use live id. 用户需要为Windows Live writer提供密码，因为Live writer无法使用Live ID。

I want to enable the user to edit his password in an html webform. 我想使用户能够在html网络表单中编辑他的密码。 although the password is typed into a password field showing only *, the value is clearly visible inside the html. 尽管将密码键入仅显示*的密码字段，但该值在html内清晰可见。 Are there any ways to hide or mask the password in the html? 有什么方法可以隐藏或屏蔽html中的密码吗？ I can't use a type old/ type new password principle because the password is not required. 我不能使用旧类型/新密码类型，因为不需要密码。 Any ideas? 有任何想法吗？

2 个解决方案

If they can't see anything but "*" characters, they can't edit the existing password, so don't bother setting the value of that input field. 如果他们只能看到“ *”字符，那么他们将无法编辑现有密码，因此不必费心设置该输入字段的值。 Just let them type in a new one from scratch. 只是让他们从头开始输入一个新的即可。

Also, serve the password change form and the POSTed response over HTTPS, not HTTP, to secure the new value. 另外，通过HTTPS（而非HTTP）提供密码更改表单和POSTed响应，以确保新值的安全。

In most applications, the password is unable to be returned to the user for them to edit it. 在大多数应用程序中，无法将密码返回给用户以供他们编辑。 I, and most security-minded programmers, hash their passwords so that there is no possible way to come up with the original password, the applications just store the hash. 我和大多数具有安全意识的程序员都会对他们的密码进行哈希处理，以便没有办法提出原始密码，而应用程序只存储哈希值。 When someone logs into the site, they take the password provided, hash it, and compare it to the stored hash to see if it matches. 当某人登录该站点时，他们将使用提供的密码，对其进行哈希处理，然后将其与存储的哈希进行比较以查看其是否匹配。 This virtually guarantees that the user's password can not be stolen via SQL Injection. 这实际上保证了用户密码不能通过SQL Injection被盗。