• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 674
  • Last Modified:

Firfox's web developer toolbar addon's Show Password Issue

Hi,

My application uses input type=password which shows * in place of actual characters in text box

but Firfox's web developer toolbar addon have option show password which changes its type to text on the fly and user can see the actual data

This has become a sever issue at my end

anyhow can i prevent it ?

0
Rakesh Jaimini
Asked:
Rakesh Jaimini
  • 2
  • 2
1 Solution
 
UrbanTwitchCommented:
What do you mean -- explain more in depth of how it's a server issue?

Also, why not just uninstall the web developer toolbar if it gives you trouble?
0
 
mrichmonCommented:
And no you can't stop users from doing this.

It is only display anyway - it shouldn't cause any server issues as from a server point of view the text is passed as if it was type="text"  

The only thing the password type does is prevent people from looking at your screen and seeing your password when you type it in.  But there are many ways to have it seen besides the firefox add-on....
0
 
Rakesh JaiminiAuthor Commented:
Hi experts,

I said sever or big issue  not server issue :)

never mind it happens some time.

this issue is raised by our client and we can not say that there are several other ways coz somehow this is a security issue and then we need to address those several other ways also. :D

is there any way to implement some attribute change event handler which i can use on type change to text from password so that in that function i can change back to password

IE doesn't allow this attribute to change from script and i checked with firebug also we can change type with the help of firebug

I have seen some site which shows a modal popup to register first
earlier i used to hide the popup using firebug and can access the site but now as soon as i change display:'' to display:none some script reloads the page

I'm trying to implement similar kind of logic

also @mrichmon can you tell me "other ways" to see this password

thanks

0
 
mrichmonCommented:
oh you mean "severe"

>>we can not say that there are several other ways coz somehow this is a security issue and then we need to address those several other ways also. :D

Actually you should tell them because by knowing that and not telling them you could be held liable.

>>is there any way to implement some attribute change event handler which i can use on type change to text from password so that in that function i can change back to password

No - at least not that they can't prevent or get around very easily.  You can't control the client's browser

>>IE doesn't allow this attribute to change from scrip
Yes it does

>>can you tell me "other ways" to see this password
There are tons.  An easy one is javascript.  In the browser url simplly type alert(getElementById("passwordboxId"));   This will display - in clear text - your password in both IE and Firefox and any other javascript enabled browser.

This is one reason we tell users they should never use the "remember my password" because if they leave their computer unlocked I can sit down at it and browse on their computer and get all their username/passwords very easily.
0
 
Rakesh JaiminiAuthor Commented:
Hi,

Thanks for the reply

I'm convinced :)

can you give some more ways so that we can make some report kind of thing to present it our client that it is normal behaviour and we can not guard against this.
As I checked goggle also and there too both web dev tool bar and JavaScript in address bar worked to get the password

Thanks a lot

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now