ASP.NET Password Textbox Tip

Posted by Phil Weber on January 11, 2003

Here's a cool ASP.NET tip from Sean 'Early' Campbell & Scott 'Adopter' Swigart (actually from their associate, Richard Hundhausen):

If you've got a password textbox name txtPassword, you cannot assign the Text property to it in code, or via DataBinding. This is by design. Here's a workaround, however:
  txtPassword.Attributes.Add("value", "abc")
Now keep in mind, just because you can do this, doesn't mean you should. This is "by design" for a reason.


Posted by Hitesh on March 23, 2004:

Excellent… It really works…

Posted by Hayke Geuskens on December 2, 2004:

// The folowing solution solves this problem.
// The hacker only sees value="**********" in the HTML source on client side.
// The original password value stays at server side. Make sure to test the 
// "value" attribute before saving. IOW, restore the original password in the
// postback if it has changed. Preventing it, from storing the asterix
// in the password field.

string passWord = User[this.oUser.PasswordField].ToString().Trim();
if (passWord != "")
	this.txtPassword.Attributes.Add("value", new string('*', passWord.Length));
	this.txtPassword.Attributes.Add("value", "");

Leave a comment