Spring MD5 appearance in form

Question

I'm creating users for my application, and am securing them with the Spring security MD5 hash encoder:

PasswordEncoder encoder = new Md5PasswordEncoder();
String hashedPass = encoder.encodePassword(dbUser.getPassword(), null);
dbUser.setPassword(hashedPass);

So 'admin' becomes 'd41d8cd98f00b204e9800998ecf8427e'.

This is all fine and dandy, but I'm also trying to create a form where current users can go and update their details, etc.

I'm not bothered about decoding the MD5 hash as this is not part of spring (someone already asked). However, when I try to add it to my form, nothing appears.

<form:password cssClass="input" placeholder="Password" path="password" />

If I add the 'showPassword' attribute, then the MD5 hash gets added into the field blocked out (e.g. by circles on chrome), but if I right click and 'view source' the hash is there.

How can I make it so that it appears as the right number of characters as the original 'admin' input? HTML5 placeholder won't work as the user may think they have to retype their password each time, and javascript definitely wouldnt be a clean option.

Many thanks,

Toby

Answer 1

I do not recommend to show passwords (or other confidential information) to users: nether hashed nor plain text. To solve the UX issue you can:

1) Show empty input fields for passwords

2) Do not show passwords at all and to have the separate link / menu to change a password.

Answer 2

The whole point of a hash is that you cannot reverse it. You cannot tell what the original was, and you cannot tell how long it was. You should never display it in any fashion.