Reputation: 651
MVC: Password value is seen from page source
I have a very simple password box bind to a property. When user edit existing password, it displays as "......." we all know. The code is:
@Html.PasswordFor(m => m.Password, new { value = Model.Password })
However if you righ click and 'view page source', you will see the password in plain text, which seems cause security concern. Is there anyway to hide that? Thanks a lot!
Upvotes: 1
Views: 864
Answers (2)
Reputation: 8781
There is pretty mush anything that you can do about it. Since it is a user input it's value has to be specified in some way before the form submit. Client side encryption/ decryption most probably won't work since client side code can not actually be secured. So if you use client side encryption (either symmetric or asymmetric) the hacker that has an access to the page source will be either able to see the encryption/decryption algorithm or to replace the password value to something he knows. So as I said if the hacker has an access to the view source of the page while user types a password there is nothing you can do. Even PCI compliant applications that send sensitive data over the web (for example credit card numbers) send the raw user input to some remote secure tokenization server that generates a token that will be used in subsequent requests.The major thing that Html.PasswordFor does it that is instead of displaying the password as flat string it masks if so if somebody behind your back looks on the display while you are typing the password he won't be able to see it. What you must do when submitting a password is to use https in order to prevent a man in the middle attack. And of course you should not store plain user passwords on the server (only their hash values) so they could not be leaked.
Upvotes: 2
Reputation: 1
Well when you are binding the view with your model and setting the value from controller.
and it simply renders the html with all its values. That's the value of password is visible. @HTML.PasswordFor simply renders the password to the browser. You need to use encryption/decryption to save and retrieve the password to make sure it will be safe.
Upvotes: 0
Related Questions
- How to get all Errors from ASP.Net MVC modelState?
- A potentially dangerous Request.Form value was detected from the client
- How do you create a dropdownlist from an enum in ASP.NET MVC?
- Injecting content into specific sections from a partial view ASP.NET MVC 3 with Razor View Engine
- How to get current page URL in MVC 3
- How to use knockout.js with ASP.NET MVC ViewModels?
- How do I display a Value from an input field in a Bootstrap Modal?