As I asked the original question on the new behaviour for the password field,
let me say this: I did not see the problem when I asked my question, but now I
am perfectly aware (and I admit, it is quite obvious) of the security risk you
are imposing when you send the current value of the password along in the html
source. Therefore I would say that for the sake of security there shouldn't be a
boolean value, so people are not tempted to implement a risky solution.
--- Matthias
Matthias Bauer +++ [EMAIL PROTECTED] +++ LivingLogic AG +++ www.livinglogic.de
"Craig R. McClanahan" wrote:
>
> Maya Muchnik wrote:
>
> > I have seen the similar behavior for edit option. The form (struts-example) does
> > not display "*", but it does not require to re-enter password again either.
> >
>
> This behavior was changed due to concerns about the fact that the old password would
> appear (in the HTML source) when you were on the login page and -- for example --
> mistyped by one character your actual password. A hacker who saw the incorrect value
> is a lot closer to guessing the right one.
>
> Would it make sense to have a boolean option to "have it your way" on this?
>
> Craig
