Joerg,
I disagree with your first argument- This option should be left up to the
developer to decide. Significant "ramifications" should be described in the
documentation, and I think are already understood by most web programmers.
If I want to compromise my site security then I should be able to do so.
Bob
-----Original Message-----
From: Joerg Beekmann [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 14, 2001 2:19 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: html:password
I argued not to echo the password when this first came up. I still feel that
way and also feel there should not be a boolean allowing the password to be
echoed back. Not everyone who sets the boolean to echo will understand the
ramifications.
I also don't believe we would be doing the user a service by echoing the
password back, in fact quite the opposite. Think about it; presumably the
password is displayed in the form **** and is echoed back the same way. The
use doesn't know which characters are incorrect so will need to select the
entire password and retype it. It is simpler for them if the field is blank
and has focus in which case they just type the password again and enter. In
my experience that is the way logon dialogs work.
Joerg
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Matthias Bauer
> Sent: February 14, 2001 12:10 AM
> To: [EMAIL PROTECTED]
> Subject: Re: html:password
>
>
> As I asked the original question on the new behaviour for the
> password field,
> let me say this: I did not see the problem when I asked my
> question, but now I
> am perfectly aware (and I admit, it is quite obvious) of the
> security risk you
> are imposing when you send the current value of the password
> along in the html
> source. Therefore I would say that for the sake of security
> there shouldn't be a
> boolean value, so people are not tempted to implement a risky
> solution.
>
> --- Matthias
>
>
> Matthias Bauer +++ [EMAIL PROTECTED] +++ LivingLogic AG +++
www.livinglogic.de
"Craig R. McClanahan" wrote:
>
> Maya Muchnik wrote:
>
> > I have seen the similar behavior for edit option. The form
(struts-example) does
> > not display "*", but it does not require to re-enter password again
either.
> >
>
> This behavior was changed due to concerns about the fact that the old
password would
> appear (in the HTML source) when you were on the login page and -- for
example --
> mistyped by one character your actual password. A hacker who saw the
incorrect value
> is a lot closer to guessing the right one.
>
> Would it make sense to have a boolean option to "have it your way" on
this?
>
> Craig
