将重新填充表单中的密码字段是一个安全问题? [英] Will re-populating a password field in a form be a security issue?
问题描述
我想知道是否应该在其他字段无效时重新填充表单中的(掩码)密码字段。我已经在网上看到了表单可能会显示的内容:
I am wondering if I should re-populate the (masked) password field in a form when other fields don't validate. I have seen both on the web where the form would either:
- 重新填充被屏蔽的密码字段
- 清空密码字段,所以用户需要重新输入(即使它是有效的)。
什么是您的最佳实践?重新填充密码字段是否表示存在安全漏洞?可用性方面,我宁愿重新填充字段,也不让用户重新输入。
What is your best practice? Does re-populating the password field indicate a security hole? Usability-wise I would prefer to re-populate the field and not have the user re-enter it.
推荐答案
一个选项if你想这样做,实际上并不是发送密码纯文本,而是一个随机标记。由于它是一个密码字段,用户将无法分辨(除了长度)。然后,将散列的密码和令牌存储在会话中。当用户提交表单时,如果密码字段与存储的令牌相同,则使用存储的密码散列。否则使用提交的密码。这解决了缓存问题(因为随机令牌在其他会话的请求中没有意义)。这样你就不需要在初始表单提交之后存储或传输原始密码......
One option if you want to do this, is not actually send the password plain-text, but a random token. Since it's a password field, the user won't be able to tell (except for the length). Then, store the hashed password and token in the session. When the user submits the form, if the password field is the same as the stored token, use the stored password hash. Otherwise use the submitted password. This solves the cache issues (Since the random token will have no meaning in requests by other sessions). That way you never need to store or transmit the raw password after the initial form submission...
这篇关于将重新填充表单中的密码字段是一个安全问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
