Re: Protection against showing hidden passwords with javascript



In article
<459fcaba-fabb-4ac4-83e3-114b2016d598@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
matthewslaney@xxxxxxxxx wrote:

Hi,

I recently learned of the "exploit" where you can run a javascript
command to view saved passwords that are hidden. This code:

javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms;
for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if
(f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if
(s) alert("Passwords in forms on this page:\n\n" + s); else
alert("There are no passwords in forms on this page.");})();

I was wondering if there was any way to protect against this?

Please refrain from stating the obvious, "don't save your passwords".
There are a couple of sites I use frequently and don't care about
security too much, but don't want my passwords to disappear.

I'm not sure what the threat is. Obviously a script on a web page has
access to all the form data you've entered into it, including passwords.

--
Barry Margolin, barmar@xxxxxxxxxxxx
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
.



Relevant Pages

  • Re: dsmod -u & -p problems
    ... The only time you need an SSL connection is when you change passwords, ... I am having trouble with this command running ... dsmod failed:The parameter is incorrect. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Admin OU password change
    ... > decides that this person is in charge of passwords for the entire ... > domain because IT isnt far enough up the chain of command to be held ... > (for security reasons) but yet you are an AD admin and could change it ...
    (microsoft.public.win2000.active_directory)
  • Re: Recommend Linux Distro, Mail/MTA/FTP daemon?
    ... or integrate it easily with throwaway accounts and file ... > change passwords or add users for their virtual domains:P ... reliable CGI to manipulate user accounts ... I work from the command line, and have never been asked something ...
    (comp.os.linux.setup)
  • Re: Security in Win 2000 Vs. Win XP Pro
    ... Members of any group other than "Administrators" or explicitly ... This command option runs in Windows NT 4, Windows 2000, and Windows XP ... This information along with other Control Panel options can be found at the ... > change/reset all administrator passwords, ...
    (microsoft.public.win2000.security)
  • Re: Administrator Password
    ... You can use the "net user username newpassword" to change passwords at the command ... prompt BUT you must be logged in as an administrator. ... the free password reset programs to reset the built in administrator account. ...
    (microsoft.public.win2000.security)