SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Enthusiast
    Join Date
    Feb 2010
    Posts
    69
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    display '*' when entering a password

    My program should display '*' when entering a password to a text box by a user. How to do that?

  2. #2
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    8,900
    Mentioned
    138 Post(s)
    Tagged
    2 Thread(s)
    What's wrong with the good old <input type="password" /> ?

  3. #3
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,526
    Mentioned
    83 Post(s)
    Tagged
    4 Thread(s)
    There's nothing wrong with that at all, unless Nielsen has something worth listening to.
    Stop Password Masking
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,604
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by pmw57 View Post
    There's nothing wrong with that at all, unless Nielsen has something worth listening to.
    Stop Password Masking
    One thing he doesn't cover where it is still effective even if you have someone looking over your shoulder at the time is where you use a password vault program that can mask the passwords in the program but still provides a button next to the field to copy the password to the clipboard. With that setup you can then copy the password from your password vault and paste it into the web page with someone watching everything you do (including watching the keyboard) and they still can't see your password. Since it is also impossible to mistype the password when you do that there is no problem for you in having the field masked.

    So Neilen's suggestion about offering your visitor the option of whether passwords should be masked or not is definitely a worthwhile one.

    Of course any option that you give your visitor for being able to switch the field between masking and not masking the password will require JavaScript to perform the switch. For example http://javascript.about.com/library/blpass1.htm shows how to set up a self labelled password field that will mask the actual password when entered. Slightly modified that code could also provide for the checkbox processing for masking/unmasking the field that Neilsen mentions as a possibly more accessible solution.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  5. #5
    SitePoint Guru
    Join Date
    Sep 2006
    Posts
    731
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    One thing he doesn't cover where it is still effective even if you have someone looking over your shoulder at the time is where you use a password vault program that can mask the passwords in the program but still provides a button next to the field to copy the password to the clipboard. With that setup you can then copy the password from your password vault and paste it into the web page with someone watching everything you do (including watching the keyboard) and they still can't see your password. Since it is also impossible to mistype the password when you do that there is no problem for you in having the field masked.
    The only snag is that for security reasons such applications have to be activated by entering a master password in the conventional manner.
    Such a password would need to strong, and if the user has no trouble entering it, then he should have no trouble doing so in any other application.
    If the user lets his master password be captured, he effectively gives away all his passwords.
    Tab-indentation is a crime against humanity.

  6. #6
    From space with love silver trophy
    SpacePhoenix's Avatar
    Join Date
    May 2007
    Location
    Poole, UK
    Posts
    4,904
    Mentioned
    93 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Logic Ali View Post
    The only snag is that for security reasons such applications have to be activated by entering a master password in the conventional manner.
    Such a password would need to strong, and if the user has no trouble entering it, then he should have no trouble doing so in any other application.
    If the user lets his master password be captured, he effectively gives away all his passwords.
    That is my worry with any of the authentication systems which you can use to have one password for many sites, if a person's password is captured/guessed/broken then they loose access to all sites. If they have different passwords for different sites and one gets comprised, they only loose access to that one site.

    @albertkao, a couple of related threads where the topic of password masking as been discussed are in this thread and discussed a bit in this thread.
    Community Team Advisor
    Forum Guidelines: Posting FAQ Signatures FAQ Self Promotion FAQ
    Help the Mods: What's Fluff? Report Fluff/Spam to a Moderator

  7. #7
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,604
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Logic Ali View Post
    The only snag is that for security reasons such applications have to be activated by entering a master password in the conventional manner.
    Such a password would need to strong, and if the user has no trouble entering it, then he should have no trouble doing so in any other application.
    If the user lets his master password be captured, he effectively gives away all his passwords.
    The difference is that the password vault program runs as an application on their computer and there is no access to it from anywhere else. The master password doesn't have to be particularly secure if physical access to the computer itself is secure.

    Where others you don't trust have physical access to the computer then yes that master password does have to be secure but provided you have entered that before the person arrives to watch you use the computer you can use the passwords stored there to log into various web sites without the watching person seeing you type a password which is the only instance where having the password field on the screen masked serves any purpose whatever.

    Losing a password that is only ever entered on your own computer and never leaves that computer is far less likely than losing one that has to be transmitted over the internet and so the password vault method reduces the chances of your having all sites compromised by making it easier to use different hard to guess passwords for each site on the internet. The actual level of security isn't that significantly different from if you keep the passwords on a written list on your desk (which is the only effective alternative way of using hundreds of different passwords for hundreds of different sites).

    The only way a master password on a password vault can be captured without being physically there watching it being typed in is if there is a keylogger installed on the computer and if that applies then all of your passwords are compromised regardless of how you handle them.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •