7

When a user tries to register and the data he submits are not right such as bad email, or weak password, we would display the registration page again to him with the data he just submitted along with the error messages.

My question is should we display the password he just submitted in HTML as this?

<input type="password" value="s0me7Xpwd">

Or just leave it blank and annoys him to enter another one?

It's definitely better in user experience to insert the password again (especially when the password is all right) but would it be good with regards to security?

datasn.io
  • 749
  • 2
  • 8
  • 9
  • 1
    There does not seem to be any problem if everything is done right. Most, if not all recommendations [from this page](https://www.ethicalhacker.net/columns/heffner/smashing-the-modern-stack-for-fun-and-profit) are applicable here, including caching issue, XSS, click-jacking,... – WhiteWinterWolf Apr 18 '15 at 10:31

1 Answers1

3

This is not a problem in itself, but in my opinion a web application should implement the policy that passwords are only input, never output. Following this policy will result in a much more secure system as far as handling passwords is concerned.

If you are going to do this, then make sure you set the appropriate headers to prevent caching in the browser or in any proxy servers en route:

Cache-Control: private, no-cache, no-store, max-age=0, no-transform
Pragma: no-cache
Expires: 0

Note that the password will still be visible if view source is clicked in the user's browser. This is an additional, although very low risk as a normal user is unlikely to do this. The only time I could think the password might "escape" this way is if the user decides to save the page HTML locally using their browser's save page functionality.

You could store the password in session once it has validated against any password requirement policy and matches the confirmation. Then you could simply include some code to suppress output of the password fields if the password has already been accepted by your application. The downside to this approach is that passwords are held in memory for longer than otherwise necessary, which means your application is at a slightly higher risk of memory attacks. Heartbleed was one - of course you need the vulnerability to exist in the first place for the risk of exposure to increase in this way. One way to mitigate this is to hash the password ASAP and store the hash and salt in memory.

If you want to allow the user the option of changing their password, you could output a field with a "magic value" rather than the password itself.

<input type="password" value="notrealpassword">

Then you simply detect whether the user subsequently edits this field to know whether to update the password stored in session.

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185
  • Don't forget. if you store the real password in the HTML. anyone that can view the source can see the password in plain-text. so bad idea to just return it. The "dummy" value is a good idea to use instead, – LvB May 22 '15 at 01:02