RSS 2.0 Feed
RSS 2.0


Atom 1.0 Feed
Atom 1.0

  Setting the Value of a TextBox with TextMode=Password 


When the TextMode property of an ASP.NET TextBox is set to Password the value set in the Text property will not display at runtime. This can be a pain, however it is actually by design to prevent the unmasked password from being displayed in the HTML source of the page.

While the security reasons are good to not display the masked password value, leaving it unmasked in the source, it is also necessary at times to display the masked value in the TextBox. For example, a user profile page where the user has the ability to change their password. It makes sense to display it there. After all, the user has already authenticated to get to the page (although the value is sent with the data to the browser and could easily be sniffed).

Security reasons aside, you can work around this by adding the password value to the control as as Attribute. Since the TextBox renders as an HTML input control, you can set the value attribute easily, just as you would set the Text property.

PasswordText.Attributes.Add("value", "ThePassword");

Use this to set the value, instead of setting the Text property. You can still read the value from the control via the Text property.




                   



Leave a comment below.

Comments

  1. David M. Kean 12/18/2004 11:39 AM
    Gravatar
    As the page is saved to disk, anyone can open it and view the password as clear text.

    The better way to do this is to have a seperate reset password page, where you have to enter the old and the new passowrd. That way you never have to display the password on the page at all.
  2. Ryan Farley 12/18/2004 12:08 PM
    Gravatar
    David,

    You are abolutely right. I tend to stay away from sending password back to the browser as a rule as well. I should have made that more clear in my post. However, I don't like to rule out a way of doing something just because it doesn't work that way normally, so I figured it was worth pointing out how to go about it if needed (the "when" and "why" is left up to the developer/specs). Again, thanks for the comment, with a post pointing out a work-around for something in place for security reasons I should have done the responsible thing and point out why you shouldn't work around it more strongly.

    -Ryan
  3. Milan Negovan 12/18/2004 4:36 PM
    Gravatar
    The first time I ran into this issue it baffled me. Eventually, I figured to apply the trick you share here.

    I still can't understand the rationale behind this "security feature", because this is about messing with the conventional browser behavior. When you type in a password and submit the form, the password is posted in plain and clear. If anyone is sniffing the session they already have it! Why make it more difficult by pretending it didn't happen? Dunno, really.
  4. TOURNEY LOGIC LINK BLOG 12/18/2004 9:01 PM
    Gravatar
  5. Jiho Han 12/20/2004 6:15 AM
    Gravatar
    well, I think the reason for the masked textbox in the browser is that these browsers were used in public settings like in a university computing center (which is where I first experienced "World Wide Web" via Mosaic), or at a public terminal at a convetion center. Your password being sent in clear text to the network and your password being visible to the guy sitting next to you or the woman peeking over your shoulder are two different things.
  6. pravin 4/19/2005 10:42 PM
    Gravatar
    still i am getting error its not working tell me where i am wrong

    <asp:TextBox ID="Pass" TextMode="Password" Runat="server" Text="Hello">
    <asp:textbox id="txtPassword" runat="server" Width="241px" TextMode="Password" MaxLength="255"></asp:textbox>


    Pass.Attributes.Add ("Value", Pass.Text);
    txtPassword.Attributes.Add (dgUserList.Items[dgUserList.SelectedIndex].Cells[3].Text, txtPassword.Text);


    Do you know why there is no value in my password box?
    my code is above one...
    i want to set password into text box when user select user details from Grid to Update




    PasswordText.Attributes.Add("value", "ThePassword");
    as per u what comese in my case
    str key and str value
  7. Jonno 6/13/2005 12:35 AM
    Gravatar
    Well if you dont want users to see it, set it with an encrypted password and store a version of it in a hidden field.

    When you persist it back reconvert hidden field and password textbox to unencrypted version and compare them.

    If they are equal save the encrypted version - reconvert it.

    If they are not save the new version in the password textbox.
  8. David Silverlight 8/11/2005 1:05 PM
    Gravatar
    I had been fighting with this for some time and blogged about it recently myself. It seems that setting the attribute in the prerender event of the textbox does the trick nicely.

    Protected Sub txtPassword_PreRender(ByVal sender As Object, ByVal e As System.EventArgs) Handles txtPassword.PreRender

    txtPassword.Attributes("value") = txtPassword.Text

    End Sub

  9. kornolio 10/10/2006 8:38 PM
    Gravatar
    thanks a lot David!

    i was having a problem displaying the text in my password textbox inside my detailsview control. it uses an objectdatasource control to populate itself. using your solution i finally resolved it.

  10. stephen natawardaja 4/11/2007 5:02 PM
    Gravatar
    Thanks, I found this helpful =)
  11. M.P.Santhakumar 4/15/2007 10:44 PM
    Gravatar
    how to change the password character in asp.net 2.0?
  12. host 6/13/2007 11:31 AM
    Gravatar
    Well if you dont want users to see it, set it with an encrypted password and store a version of it in a hidden field.

    When you persist it back reconvert hidden field and password textbox to unencrypted version and compare them.

    If they are equal save the encrypted version - reconvert it.

    If they are not save the new version in the password textbox.
  13. Jagdish 7/2/2007 10:50 PM
    Gravatar
    I've created multiple Textbox during the runtime now i need to set textmode to multiline for each created textbox kindly help me.
  14. Durga 9/14/2007 6:43 AM
    Gravatar
    This topic solved my issue of asigning of some spaces in the password filed. Thanks a lot.
  15. LJ 11/26/2007 9:13 PM
    Gravatar
    My problem is that I have an assignment where I need to use a cookie to populate the username and password fields of a login page. However, when I have the textbox for the password set to TextMode=password, it will not populate with the value in the cookie, although it will if the TextMode=singleline. What I need to know is how to convert the TextMode from password to singleline so the cookie value can populate, then convert back to TextMode=password.
  16. Sree 2/28/2008 10:10 PM
    Gravatar
    The code was of great help to me.
    Thanks :)
  17. Neal 7/15/2008 6:37 AM
    Gravatar
    FYI: Adding the attribute value will allow anyone reading the source of your page will be able to see your password in the controls attribute section.
  18. Sunny Setia 9/12/2008 12:13 AM
    Gravatar
    By using this password is coming in the text box but when we open the page source, the password value is coming which is not Right anyone can see the password.
  19. Ryan Farley 9/12/2008 10:07 AM
    Gravatar
    @Neal & @Sunny Setia, That is correct and has always been the case and something to always be aware of when passing a password back and forth (I usually opt to not send the password back to the browser if possible - just allow the user to send a new one to the server)

    -Ryan
  20. Shaun 9/24/2008 7:06 AM
    Gravatar
    Brilliant, thanks this solved my problem straight away!
  21. ThomasR 10/7/2008 2:16 AM
    Gravatar
    Thank you so much, you saved my time and it did the trick !
  22. fernando 10/24/2008 12:43 AM
    Gravatar
    great trick! thank you.
  23. Adem 12/25/2008 7:42 AM
    Gravatar
    Really nice, thanks for this one.
  24. alexoss 12/29/2008 3:17 PM
    Gravatar
    The hidden field with the encrypted password value is just the trick I was looking for... I was getting worried I might need to do something ugly in session! Thankee, Jonno (three and a half years ago...).
  25. sirobert 2/20/2009 2:22 AM
    Gravatar
    Thanks a lot!
  26. Chamika Fernando 3/4/2009 5:22 AM
    Gravatar
    Thank you very much I got 2 mins to solve my problem b'caz of this.
  27. ELENI 3/13/2009 6:36 AM
    Gravatar
    THANKS. SOLVED MY PROBLEM
  28. Star 3/16/2009 10:08 PM
    Gravatar
    It's Good. that Code is Solved My problem.

    Thanks a Lot:)
  29. san 5/11/2009 6:55 AM
    Gravatar
    Nice trick, thanks
  30. dlna 5/15/2009 5:18 PM
    Gravatar
    great! this was helpful.
  31. Dreamchaser 5/18/2009 5:15 AM
    Gravatar
    I did it like this:
    <asp:TextBox runat="server" ID="ConfirmPasswordInput" TextMode="Password" Value=" "></asp:TextBox>

    So I've got those nice asterisks in my textbox, without having to expose the real password in the source code.

    When the user leaves the password field untouched, I need to avoid the password being changed to 8 spaces of course. That's why I do this check in the code behind:

    if (this.PasswordInput.Text.Trim() != string.Empty)
    {
    this.User.Password = this.PasswordInput.Text;
    }

    Since I won't allow the password containing nothing but spaces, the Trim() will do for me, otherwise you can always check for exactly those 8 spaces. Instead of spaces you could also use a dummy password like THISPASSWORDISHIDDEN and check for that, but you never know if anyone really wants to use that for a password :)
  32. Dreamchaser 5/18/2009 5:19 AM
    Gravatar
    That Value=" " in my comment above contains 8 spaces, but since the spaces aren't nicely translated in &nbsp; it appears to be only 1.
  33. Arunkumar 5/27/2009 10:52 PM
    Gravatar
    Thanks David.
    Really its very helpful to me.
    Its working Very Nice.
  34. sumi 7/17/2009 4:02 AM
    Gravatar
    My problem is , when i click a button for some other work , the value enter in the textbox is getting cleared when set to password mode. can you help me in solving this problem?
  35. Levi 8/3/2009 9:11 AM
    Gravatar
    This was very helpful. Thanks for posting.
  36. jacks 8/31/2009 7:32 PM
    Gravatar
    This was very helpful. Thanks for posting.
  37. narinder 9/16/2009 5:36 AM
    Gravatar
    I read your all chat but please tell me how we can enter text into textbox when it is textmode is password ....... I you know please tell me.
  38. Ryan Farley 9/16/2009 7:15 AM
    Gravatar
    @narinder, Please read the article, it shows how to do just that.
  39. Psycho 1/19/2010 12:38 AM
    Gravatar
    I have a doubt. Does using TextMode="password" trim all the leading and trailing spaces automatically?
    My requirement needs me to have spaces inserted for password, but somehow it does not seem to accept that
  40. Alok Kumar 1/20/2010 12:50 AM
    Gravatar
    This is quite a trick. This worked for us.
  41. Pravin 1/28/2010 7:25 AM
    Gravatar
    I want to clear text box when focus received in that text box actually text box mode is password.when i run it it's display blank instead of Text which is i gave in load event.

    Page_LOad()
    {
    if(!Page.IsPostBacK)
    textbox.Text="Enter Password";
    }
  42. Young Geun 3/14/2010 6:05 PM
    Gravatar
    Thanks
    This was very helpful!!
  43. San 5/20/2010 6:06 AM
    Gravatar
    If i used this and go for "view Source", password is visible.
  44. Alex 7/27/2010 1:45 AM
    Gravatar
    Nice trick ;)
Comments have been closed on this topic.



 

News


Also see my CRM Developer blog

Connect:              


Sponsor

Sections