Password Field
A password field is the equivalent of a text field except that it displays an asterisk (or some other generic character) instead of the character the user typed.
Basics
Bare-bones code for a password field is:
<INPUT TYPE="password">
This renders the password field only, not any associated label (even if it is specified as an attribute).
Usage
Password fields are used to "mask" sensitive data (such as a login password, a credit card number, etc.) so that anyone observing the screen does not see the actual value entered. It's well worth using, but is not effective as a means of security in any other regard - i.e., it doesn't encrypt the actual data, just masks it on the screen.
Processing
Each password field passes a name=value pair where the value is the content of the field at the time the form is submitted. While the content appears as bullets or asterisks on screen, it is sent as clear text.
Be careful about how you parse input from a form that contains a password field. A mischievous user might attempt to pass variables to your script by entering data such as "&name=value&name=value". Since the content is urlencorded for transmission, it's not a problem so long as you split the input into name=value pairs before decoding the input.
HTML Attributes
Typical
- SIZE - Width of the field in characters.
Unusual
- MAXLENGTH - The maximum number of characters the user may enter.
- ACCESSKEY - A shortcut key to put focus on the element.
- DISABLED - Grays out the element and prevents the user from altering its value.
- TABINDEX - Specified as a number, this alters the default tabbing order of a form.
Of note: there is no attribute for changing the masking character to something else. But then, there is no reason you should need (or even want) to do this.
JavaScript
Aside of the properies common to all form elements, the ____________ has the following unique properties, methods, and handlers.
Properties
- value - Returns (or assigns) the current value of the field.
- defaultValue - Returns (or assigns) the default value of the field
- maxlength - Returns (or assigns) the MAXLENGTH attribute.
- size - Returns (or assigns) the SIZE attribute.
Methods
- select() - Highlights (selects) the text content within the field.
Event Handlers
- onkeydown - Takes effect when focus is within the element and a key is pressed
- onkeyup - Takes effect when focus is within the element and a key is released
- onkeypress - Takes effect when focus is within the element and a key is pressed and released
- onselect - Takes effect when some text in the field has been selected by the user
Misc Notes
It's been noted above, but bears repeating that the content of a password field is not secure: upon submission, the data is passed as clear text, such that anyone who intercepts it can immediately see the actual value.
Of particular importance: any form that includes a password field should never be submitted via the GET method, as this will reveal the password in the location window and store it in bookmarks and history as a literal value.