Learning Resources

Accepting passwords -somewhat securely

The TextBox server control is an input control that lets the user enter text. By default, the TextMode property is set to SingleLine, which creates a text box with only one line. You can also set the property to MultiLine or Password. MultiLine creates a text box with more than one line. Password creates a single-line text box that masks the value entered by the user.

The display width of the text box is determined by its Columns property. If the text box is a multiline text box, the display height is determined by the Rows property.

Use the Text property to determine the contents of the TextBox control. You can limit the number of characters that can be entered in the control by setting the MaxLength property. Set the Wrap property to true to specify that the contents of the cell should automatically continue on the next line when the end of the text box is reached.

When the TextMode property of an ASP.NET TextBox is set to Password the value set in the Text property will not display at runtime. This can be a pain, however it is actually by design to prevent the unmasked password from being displayed in the HTML source of the page.

While the security reasons are good to not display the masked password value, leaving it unmasked in the source, it is also necessary at times to display the masked value in the TextBox. For example, a user profile page where the user has the ability to change their password. It makes sense to display it there. After all, the user has already authenticated to get to the page (although the value is sent with the data to the browser and could easily be sniffed).

Security reasons aside, you can work around this by adding the password value to the control as as Attribute. Since the TextBox renders as an HTML input control, you can set the value attribute easily, just as you would set the Text property.

PasswordText.Attributes.Add("value", "ThePassword");

Use this to set the value, instead of setting the Text property. You can still read the value from the control via the Text property.