问题
I have been helping out some people with their computers and repairing them. One of these people asked me about the safety of storing passwords in the auto form field. I showed them a quick trick on how you can retrieve the password from a simple jQuery call in the console. While working on some websites, I have been trying to figure out a way of preventing the use of this trick to find out what the saved password is.
To understand what im talking about if you dont know, try the following.
- Navigate to a website with jquery (or jquerify the site) and either have auto form fill in turned on or fill in the password field.
- inspect element to show the password id field or some way to call the field with jquery
- in console run something like
$('#password').val()and watch the password show up.
I am wondering if there is some way for me as a web developer to prevent the use of this on my site but still allow the use of it for getting the value of the field within the site code.
Thanks.
EDIT
From facebook with login autofilled out (blacked out for security)
and then after jquerifying the page and running the $jq('#pass').val() in console without changing anything (password blacked for security)
USE CASE
User 1 is on public computer, they allow the browser to save login info
User 1 leaves, User 2 goes to same site. browser auto fills in login info
User 2 runs the command and gains access to the password
回答1:
Short answer: no. Logically, there's no way to remove ability to access the data in this field and preserve functionality of autofill. The value of the password box is the password, and that's what you want to submit. You would either have to disable autofill to properly stop this from happening.
However...
You might be able to hide the value, by getting the value out of your password input box and blanking it with .val(""). Then submit the variable that stores the value instead of the contents in the box on submit. If you shrink your script using one of many tools out there that obfuscates variable names, it would be slightly more difficult (though certainly not impossible) to find the value. You could get more and more crazy by encrypting the value and decrypting it, but at the end of the day all the keys to get the password would have to be in the script so that the script itself could access it in the proper time. You'd stop the few cases where someone gave it a shot, but not a dedicated person.
You would also have to keep in mind all the following caveats:
You would have to be sure to only submit your password variable if the user does not change what it is. If the user updates the info in their password box, you'd want to submit that instead. With a tool like knockout.js you might be able to continuously get and hide whatever the user types into that box, but it would be another layer of complication
You would want it to be clear to the user what is going on. If their password box was suddenly blank, most users would be very confused.
Let's be realistic though. If a "hacker" has direct access to someone's computer, and they want the password, they're going to get it. They have a thousand other ways of getting to the password first before tapping into your javascript (keylogger, standing behind them as they type, packet sniffer if you're not using HTTPS or encrypting your data, hitting them with a blunt object, etc.) There's an XKCD strip about this somewhere. Edit: Found it :)
回答2:
You can simply disable the autocomplete, so that password is not stored in the input field.
input type="password" autocomplete="off"
来源:https://stackoverflow.com/questions/12012798/how-to-prevent-a-user-from-getting-password-field-value-in-console