This is true. Michael, what are you using this for? Are you using the htmlEditFormat() to sanitize the passwords before they get inserted? Or are you using this to output the users password to them in a textbox?
-----Original Message----- From: Justin Scott [mailto:[email protected]] Sent: Friday, June 26, 2009 12:40 PM To: cf-talk Subject: RE: HTMLEditFormat() on Password Fields > Is it wise to use htmlEditFormat() on the value of password fields? I wouldn't be passing a value through to a password field at all. Makes it too easy for someone to view source and see the existing password. For example, Sarah has her password saved in Firefox. Sarah leaves the room for a while and John gets on her computer and logs in as Sarah since the password is saved. John goes to the account page and views source. Now he knows Sarah's password and can log in from anywhere. Yes, it's a stretch, but a possibility that can be avoided by simply not passing a value of the password field. -Justin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323982 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
