Registration passworld field security risk on form failure?

[Mark Li]

I am currently looking into whether or not password fields should be cleared on registration error after the form fails server-side validation. At the moment, web2py shows the password after a registration error, instead of leaving it blank. While this may make editing the password easier (in case there are pw errors), it seems to pose a security risk because you are sending the password back to the client in plain text. To my understanding, this would allow the page to be cached with the password's value in plain text.

I tested this on a variety of browsers and systems, so to the best of my knowledge this is behavior is not unique to a browser.

Does this pose a reasonable security risk?

Some reference links:
http://ux.stackexchange.com/questions/39999/why-do-most-create-account-forms-clear-the-password-fields-upon-wrong-validation
http://ux.stackexchange.com/questions/20418/when-form-submission-fails-password-field-gets-blanked-why-is-that-the-case

[Derek]

Have you actually looked at it? I believe it just returns asterisks.

[Mark Li]

Looking at the password input through Firebug/developer tools, and the value of the password input is the plaintext of the password I entered.

I have a test site here: http://tedlee.pythonanywhere.com/welcome/default/user/register

Typing in a password and failing registration will return that password. Is this just the behavior of a modern browser (to remember failed inputs), or is it web2py form handling?

In the case that web2py did only return asterisks, wouldn't that be very misleading to the user? Because the password input is masked, they would assume that the returned password value (after registration failure) was what they previously had typed, not a password replaced with asterisks. Thus on re-submitting the form, they would not think to alter the password and would just submit a password with asterisks.

[Willoughby]

Using the same Firebug, look at the Net tab - look at your post and the response.

[Mark Li]

Under the Net tab in Firebug, the Post contains the submitted variables, and the response tab is the HTML of the returned page. This response contains the password input value in plain text.

If I submitted the password as "asdf" and submitted the registration form with failures, the response will contain this (as shown in the net tab):

<input class="password" id="auth_user_password" name="password" type="password" value="asdf" />

Does no one else experience this behavior?

[Willoughby]

It got posted to the developer list yesterday, so it would seem at least some of the maintainers think it's an issue worth discussion.

[Mark Li]

This problem was patched here today: https://github.com/web2py/web2py/commit/5364193759f266e0c07128de2a7b6b54a82ef736

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/5zmTyjSlr5E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Anthony]

Thanks for pointing this out.

Anthony

To unsubscribe from this group and all its topics, send an email to web2py+unsubscribe@googlegroups.com.