|
|
|
|
|
|
by bradleyland
5543 days ago
|
|
|
There are straight forward workarounds for this problem. The password field is typically obscured anyway, so the user doesn't see the characters in the field. When a user submits a form where they are asked for a password and a confirmation, you can temporarily persist that data on the server side, linking it to the user's session. You then send a dummy string to the client that matches the length of their supplied password, so that A) the user doesn't have to re-fill your password & confirmation, and B) the raw password data is not sent back to the client. Good implementations of this approach also don't persist the password in plain-text in the temporary store. You crypt the password using whatever method you were going to when you stored it in the database and keep that around until you're ready to make the changes permanent. |
|
|