如何防止用户在控制台中获取密码字段值 [英] How to prevent a user from getting password field value in console

问题描述

我一直在帮助一些人使用他们的计算机并进行维修.其中一个人问我有关在自动表单字段中存储密码的安全性.我向他们展示了一个快速技巧，告诉您如何从控制台中的简单jQuery调用中检索密码.在某些网站上工作时，我一直试图找出一种方法来防止使用此技巧来查明保存的密码是什么.

I have been helping out some people with their computers and repairing them. One of these people asked me about the safety of storing passwords in the auto form field. I showed them a quick trick on how you can retrieve the password from a simple jQuery call in the console. While working on some websites, I have been trying to figure out a way of preventing the use of this trick to find out what the saved password is.

要了解我在说什么(如果您不知道)，请尝试以下操作.

To understand what im talking about if you dont know, try the following.

1. 使用jquery导航到网站(或jquerify网站)，并打开自动表单填写功能或填写密码字段.
2. inspect元素以显示密码id字段或使用jquery调用该字段的某种方式
3. 在控制台中运行类似 $('#password').val()的内容，并查看密码显示.

1. Navigate to a website with jquery (or jquerify the site) and either have auto form fill in turned on or fill in the password field.
2. inspect element to show the password id field or some way to call the field with jquery
3. in console run something like $('#password').val() and watch the password show up.

我想知道作为Web开发人员是否有某种方式可以阻止在我的网站上使用此功能，但仍然允许使用它来获取网站代码中字段的值.

I am wondering if there is some way for me as a web developer to prevent the use of this on my site but still allow the use of it for getting the value of the field within the site code.

谢谢.

编辑

来自Facebook，登录信息已自动填写(为安全起见，已涂黑)

From facebook with login autofilled out (blacked out for security)

，然后将页面精简并在控制台中运行 $ jq('#pass').val()之后，不进行任何更改(为安全起见，密码已涂黑)

and then after jquerifying the page and running the $jq('#pass').val() in console without changing anything (password blacked for security)

使用案例

用户1在公共计算机上，他们允许浏览器保存登录信息

User 1 is on public computer, they allow the browser to save login info

用户1离开，用户2转到同一站点.浏览器自动填写登录信息

User 1 leaves, User 2 goes to same site. browser auto fills in login info

用户2运行命令并获得对密码的访问权限

User 2 runs the command and gains access to the password

推荐答案

简短答案:否.从逻辑上讲，没有办法删除访问该字段中的数据的功能，并且保留自动填充功能.密码框的值是，这就是您要提交的内容.您要么必须禁用自动填充功能，才能正确地阻止这种情况的发生.

Short answer: no. Logically, there's no way to remove ability to access the data in this field and preserve functionality of autofill. The value of the password box is the password, and that's what you want to submit. You would either have to disable autofill to properly stop this from happening.

但是...

通过将值从 password 输入框中取出并用 .val(")对其进行空白，您可以隐藏该值.然后提交存储值的变量，而不是提交时框中的内容.如果您使用模糊化变量名的众多工具之一来缩小脚本，则找到该值会稍微困难一些(尽管当然并非没有可能).通过对值进行加密和解密，您会变得越来越疯狂，但是最终，全部用于获取密码的密钥将必须包含在脚本中以便脚本本身可以在适当的时间访问它.在少数情况下，有人会给你开枪，但没有一个专心的人，你会停止的.

You might be able to hide the value, by getting the value out of your password input box and blanking it with .val(""). Then submit the variable that stores the value instead of the contents in the box on submit. If you shrink your script using one of many tools out there that obfuscates variable names, it would be slightly more difficult (though certainly not impossible) to find the value. You could get more and more crazy by encrypting the value and decrypting it, but at the end of the day all the keys to get the password would have to be in the script so that the script itself could access it in the proper time. You'd stop the few cases where someone gave it a shot, but not a dedicated person.

您还必须牢记以下所有警告:

You would also have to keep in mind all the following caveats:

• 如果用户不更改密码变量，则必须确保仅提交密码变量 .如果用户在其密码框中更新了信息，则您想提交该信息.使用击倒.js之类的工具，您可以连续获取和隐藏用户在该框中输入的所有内容，但这将是另一层复杂性

• You would have to be sure to only submit your password variable if the user does not change what it is. If the user updates the info in their password box, you'd want to submit that instead. With a tool like knockout.js you might be able to continuously get and hide whatever the user types into that box, but it would be another layer of complication

您希望用户可以清楚了解发生了什么.如果他们的密码框突然空白，那么大多数用户将感到非常困惑.

You would want it to be clear to the user what is going on. If their password box was suddenly blank, most users would be very confused.

让我们现实一点吧.如果黑客"可以直接访问某人的计算机，并且他们想要密码，那么他们将获得该密码.在使用javascript之前，他们还有一千种首先获取密码的方式(键盘记录程序，键入时会站在它们后面，如果您不使用HTTPS或加密数据，则使用数据包嗅探器，用钝对象击中它们，等等.)在某处有一个XKCD地带.找到了它:)

Let's be realistic though. If a "hacker" has direct access to someone's computer, and they want the password, they're going to get it. They have a thousand other ways of getting to the password first before tapping into your javascript (keylogger, standing behind them as they type, packet sniffer if you're not using HTTPS or encrypting your data, hitting them with a blunt object, etc.) There's an XKCD strip about this somewhere. Found it :)

这篇关于如何防止用户在控制台中获取密码字段值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！