A simple google search will yield people complaining about their host accounts getting hacked on airbnb. Just because someone or something large 'does it that way' doesn't mean it's a best practice!
On Friday, July 25, 2014 9:08:00 AM UTC-4, Louis Amon wrote: > > I don’t see much of a security threat here. > What’s the worst-case scenario ? > > If you take a look at airbnb.com <http://www.airbnb.com>, their > registration form keeps your typed password even if you fail validation on > other fields. > > If a website that big can do it then surely my small website will pull > though, don’t you think ? > > Le 25 juil. 2014 à 14:47, Niphlod <[email protected] <javascript:>> a > écrit : > > so you really want the webpage to return the actual password instead of > asterisks ? it's a big security risk, no matter what user experience > says..... > > On Friday, July 25, 2014 10:53:40 AM UTC+2, Louis Amon wrote: >> >> I'm trying to improve user exprerience on my website and I noticed a >> rather annoying behavior on password fields : >> >> If I type a password longer than 8 characters and somehow my form fails >> (some other field didn't validate), my password gets replaced by "********" >> in request.vars.password. >> >> For example : >> I try to login and misstype my username --> login form fails. >> I correct the mistake in the username and press the submit button again >> --> login still fails, because the password got replaced by '*********' >> under the hood. >> >> Another example: >> I try to register and type my password but mistyped my password >> verification (password_two) --> register form fails. >> I focus the password_two field and retype my password --> register still >> fails because the original password field got replaced... >> >> This behavior is extremely frustrating for users as they can't print >> request.vars.password like a developper would. All they see is obfuscated >> passwords. >> I cannot have this on my commercial website. >> >> >> Is there any way to fix this ? >> > > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to a topic in the > Google Groups "web2py-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
