This is a migrated thread and some comments may be shown as answers.

RadTextBox Password Problem

33 Answers 1429 Views
Input
This is a migrated thread and some comments may be shown as answers.
Matthew
Top achievements
Rank 1
Matthew asked on 13 Jun 2008, 02:57 AM
I am using the RadTextBox control with the Password input.  When I retrieve data using a DataTable, the password charicters appear for a second, then dissapear.  If I set the imput type to singleline, it works fine.  Is there a bug here, or am I doing something wrong?  I have verified that I have the lastest version of the control.

Thank you,

Matt

33 Answers, 1 is accepted

Sort by
0
Dimo
Telerik team
answered on 13 Jun 2008, 10:39 AM
Hi Matthew,

Actually the value of a password RadTextBox should not appear in the browser at all, because this is a security issue. We will fix this on our end. If you want to have the password values available on the client, you should use a RadTextBox in a SingleLine TextMode, if this is appropriate.

By the way, if you use an asp:TextBox in password mode, its Text value is also ignored and not passed to the browser.

Let us know if you need further information.


Sincerely yours,
Dimo
the Telerik team

Instantly find answers to your questions at the new Telerik Support Center
0
Matthew
Top achievements
Rank 1
answered on 13 Jun 2008, 12:55 PM
I am not trying to display the value.  I want the "Password Character" to be displayed ( A Bullet).  The problem is the Bullets appear on the screen, then disappear.  As far the the asp:textbox control, I have done this countless times without an issue.  I need this for an employee maintenance page. 
0
Dimo
Telerik team
answered on 13 Jun 2008, 01:27 PM
Hello Matthew,

If you are able to see the password characters on initial page load, this means that the passwords are visible in the page's source HTML. This is not correct and should not happen.

As for the asp:TextBox - I tried placing a bound textbox inside a RadGrid template column and no asterisks were displayed by the browser. How do you manage to show the password characters? Here is my example:

<telerik:GridTemplateColumn HeaderText="Password" UniqueName="PasswordColumn" DataField="firstname">
    <ItemTemplate>
        <asp:TextBox ID="RadTextBox2" runat="server" Width="90px" TextMode="Password" Text='<%# Eval("firstname") %>' />
    </ItemTemplate>
</telerik:GridTemplateColumn>

The password is not available in the browser also if the textbox is used outside RadGrid and the Text property is assigned to some string.


All the best,
Dimo
the Telerik team

Instantly find answers to your questions at the new Telerik Support Center
0
Matthew
Top achievements
Rank 1
answered on 13 Jun 2008, 01:35 PM
This is getting confusing.  I changed the input type to single to do a TEST to isolate the issue.  When I did this, I saw the password, and it did not dissappear.  When I change the input BACK to password, the BULLETS ( System Password Character) appear, then dissappear.  I need the BULLETS to remain on the screen to show that a password exists because the same screen is used to ADD as well as EDIT users from a MASTER LIST, so some users will NOT have passwords yet.

Thank you,

Matt
0
Matthew
Top achievements
Rank 1
answered on 13 Jun 2008, 01:38 PM
You answered the question in the last part of your response.  Can you explain why I need to use a RadGrid.  I am a little confused on this.  I set the text value and it should keep that value and replace the password with system password characters.

Thank you,

Matt
0
Dimo
Telerik team
answered on 13 Jun 2008, 01:43 PM
Hi Matthew,

I see you point, but unfortunately, you will not be able to use RadTextBox or asp:TextBox in password mode to achieve this, because of their specifics and behavior.

Maybe you should implement some custom logic with a RadGrid template column - for example you will check server-side whether a password exists and display this information on the client in whatever control you prefer (e.g. asp:Label). There won't be anything special about the editing and inserting, you can use ordinary textboxes or password textboxes in an edit template.

Let us know if you need further advice.

Regards,
Dimo
the Telerik team

Instantly find answers to your questions at the new Telerik Support Center
0
Matthew
Top achievements
Rank 1
answered on 13 Jun 2008, 03:15 PM
I know we are going back and forth on this one, but I have used the asp:textbox in this fashion many times.  I want to use the RadTextBox to utilize your skins.  What is the difference in the control if I wrap it in a RadGrid, or if I just use it as a stand alone?
0
Matthew
Top achievements
Rank 1
answered on 13 Jun 2008, 03:18 PM
I forgot to mention that in the Page Source, the password is encrypted.  I understand what you are saying about a security issue.  I think I have a work around for this issue.  Thank you.

Matt
0
Dimo
Telerik team
answered on 13 Jun 2008, 03:21 PM
Hi Matthew,

There is no difference in the behavior of RadTextBox if you place it inside RadGrid or if you use it outside.

However, I was interested in finding out how do you make an ordinary databound asp:TextBox display the password characters on page load. As far as I can see, they are never displayed and the value on the client is always empty. Am I missing something?

Best wishes,
Dimo
the Telerik team

Instantly find answers to your questions at the new Telerik Support Center
0
Matthew
Top achievements
Rank 1
answered on 13 Jun 2008, 04:25 PM
This might sound wrong, but I am not a fan of drag and drop programming.  Yes it is nice for a quick application, but unfortunatly, the work that I do is very detail oriented as well as very secure, to the point that every peice of data is encrypted with our own propriatary logic.  I basically use the drag and drop features of the tool box just to place the controls.  After that, I take over using javascript, and c# behind code.  This allows me to have the most flexablity, as well as make our web sites very dynamic.  They are so dynamic that nothing is hard coded, including menus.  We have a whole framework set up to add pages, security, and user access within a couple of clicks.  I have been a programmer for 15 years now, so I was creating Windows applications before there was a GUI.  I have adapted some what using Visual Studio, but I still like the ability to be a free spirit. 

Have a good day.
0
Kevin Kembel
Top achievements
Rank 1
answered on 15 Nov 2009, 09:53 PM
Hi there,

I've run into the same issue as Matthew.  I can get this to work fine with an ASP:TextBox control, but as soon as I replace it with a RadTextBox, the password bullets appear on the screen, and then are immediately removed (it's almost like some client-side code is executed that clears the RadTextBox's value after a postback).

Here is what I'm trying to accomplish.  I have a rather large user edit form that is full of server-side validation.  On post back, everything is validated, and possible errors are sent back in a message to the user. The problem was that if a user had a problem with a field like email, the password fields were also reset on postback.  The user would see "Email address is invalid", and they would correct that problem, but meanwhile not realize that on a separate tab, their password has been blanked out.  The solution was to persist the password value in encrypted viewstate, and if a password value is set, create a mask, and send that value down to the asp:TextBox control.  So, if a user types a password (like '12345'), it is saved in a viewstate variable, and the asp:TextBox was set to txtPassword.Attributes.Add("value","_____").  Then on subsequent postbacks, if the txtPassword value changes from the mask "_____", save the new password in viewstate, mask it, and update the mask on postback.  

This has worked great, but I've since updated the entire form to use RadTextBox controls.  Now, what worked fine in a ASP:TextBox does not work anymore in Telerik:RadTextBox.  After a postback, the value that is masked and stored in the textbox is removed.  It looks like it's there for a split second, and is likely being removed on the client after postback.

Any ideas how I can get this to work?  In researching on the web, I've found that masking and persisting a password textbox through postbacks is a common enough request that I would hope Telerik would have a solution.  For now, I'm using standard ASP:TextBox controls, which don't match the rest of the styled form.
0
Dimo
Telerik team
answered on 16 Nov 2009, 03:39 PM
Hi Kevin,

Indeed, RadTextBox in password mode clears its value during its client-side initialization in order to remove any remembered passwords by the browser, e.g. when refreshing the page or hitting the Back button.

In your case you have the following options:

1) Use asp:TextBoxes and style them with RadFormDecorator
2) Use asp:TextBoxes with RadInputManager
3) Use RadTextBoxes and set the password values client-side with Javascript and a timeout (in the control's Load client event)

Option (1) is the easiest to implement.

Greetings,
Dimo
the Telerik team

Instantly find answers to your questions on the new Telerik Support Portal.
Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
0
Kevin Kembel
Top achievements
Rank 1
answered on 17 Nov 2009, 09:39 PM
I will have to use the first option I think.

I don't mean this as a criticism, and I'm definitely not on the same developer level as your team that has designed the RadTextBox, but would it not make sense that any text in the password textbox after a postback (whether the text is placed their by the browser or by the developer) be intentional, and make clearing the text through client-side code after postbacks counterproductive and unexpected?  Like I said, I'm not nearly as aware of all of the different use cases as the developers at Telerik, but is there some other major security concern that a developer would be subjecting the system to that would require Telerik to implement this feature?  Would it be unreasonable to request a property on the RadTextBox that can specify something like "ClearPasswordTextOnClient" to be false?

Kevin
0
Dimo
Telerik team
answered on 20 Nov 2009, 09:26 AM
Hello Kevin,

Regular asp:TextBoxes normally do not have text after a postback. Your approach is practically a hack. So the same with RadTextBoxes, only the hack is different - set the value client-side (point 3 in my previous reply).

Best wishes,
Dimo
the Telerik team

Instantly find answers to your questions on the new Telerik Support Portal.
Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
0
Shaikh Arif ul
Top achievements
Rank 1
answered on 20 Nov 2009, 11:52 PM
Add the OnPreRender event handler on the password textbox, with the following method body:

protected void txtPassword_PreRender(object sender, System.EventArgs e)  
{  
   txtPassword.Attributes["value"] = txtPassword.Text;  
}  
 
 

Thus the password should be displayed after postback.  :)

Best wishes,
Arif
0
Kevin Kembel
Top achievements
Rank 1
answered on 07 Dec 2009, 12:03 AM
Hi Shaikh,

I just wanted to post so that nobody gets the wrong idea, that will work on a regular ASP TextBox control, but does not work on the RadTextBox as the value is cleared after postback.

Kevin
0
Doug Beard
Top achievements
Rank 1
answered on 11 Mar 2010, 05:31 PM
Indeed, RadTextBox in password mode clears its value during its client-side initialization in order to remove any remembered passwords by the browser, e.g. when refreshing the page or hitting the Back button.

This behavior sorely needs an override.
Lets say for example, you wish to hide the password not for the benefit of potential hackers but for the benefit of over the shoulder looking.
Therefor the user is able to click a button to reveal the password.  Clearing loaded passwords on initialization clears any pass that was loaded from the DB, this behavior makes the password mode of the RadTextbox useless, as there is no over-ride.

*Sigh*  Once again I'll hack up my own solution. 
0
Dimo
Telerik team
answered on 12 Mar 2010, 08:44 AM
Hello Doug,

As discussed earlier, both RadTextBox and asp:TextBox normally do not display a value initially, so you need a hack in all cases.

Regards,
Dimo
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
0
Doug Beard
Top achievements
Rank 1
answered on 12 Mar 2010, 02:48 PM
Dimo,

Firstly, pointing out the default behavior of the classic textbox is what's called a strawman argument.  No one was arguing whether the classic textbox behaves this way or not.  Please break the habbit of defending your own control suite by touting the weakness of another.

And finally, I don't feel attaching a value attribute OnPrerender is a hack.  Does your password moded textbox support this hack (er I mean pattern)?

What we're pointing out, is
1.) Telerik should implement this feature, because it's very useful to be able to toggle it on or off when security is of no concern.
2.) Since the work around for the classic textbox doesn't work on the RadTextbox, effectively the RadTextbox in password mode is missing functionality that the classic textbox has in password mode. 

I think we'd all agree, that for an extended control suite, 2.) is a terrible selling point for Telerik.
0
Dimo
Telerik team
answered on 12 Mar 2010, 03:47 PM
Hello Doug,

Thank you for sharing your opinion, however, I am afraid we do not intend to implement such a behavior.

Regards,
Dimo
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
0
Kevin Kembel
Top achievements
Rank 1
answered on 22 Apr 2010, 08:05 PM
I have to say, that's a very disappointing response, especially since this thread has several different Telerik customers complaining about the same "feature".  It still doesn't make sense to me why the RadTextBox would clear the content from the control on the client-side after the page loads, rendering any standard workarounds useless (forcing us to then implement a delay to put the text *back* into the control after Telerik clears it!).  Of course the only other alternatives of "use the standard ASP TextBox control" for password fields seems to severely devalue the RadTextBox, and it's disappointing to see that the seemingly simplistic request of being able to turn on or off the client-side password clearing is rejected without any actual justification.

I don't think we're stupid, if this feature is way more complicated to implement than we think it is, let us know that.  Or tell us why this feature request is otherwise not valuable enough at least.
0
Dimo
Telerik team
answered on 23 Apr 2010, 11:16 AM
Hello all,

I believe we have provided enough information why the control behaves like that and why we do not plan to change the behavior. The feature is not difficult at all to implement, we simply consider that it should not be implemented - a password should never be sent to the client in the HTML output.

Regards,
Dimo
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
0
Doug Beard
Top achievements
Rank 1
answered on 23 Apr 2010, 01:17 PM
You're making the assumption that obscured textbox is only for passwords.  
I've already met my own needs, but I was a bit disappointed in this interaction.

Don't, however, misunderstand, I've been using this control suite since you only had the RadEditor.  Been an evangelist for ya'll.  I think you have a robust offering and have historically provided valuable support.
0
Kevin Kembel
Top achievements
Rank 1
answered on 25 Apr 2010, 03:31 AM
I see, I think the difference of opinion may be because of a miscommunication then.  I don't believe any of us were trying to pass the actual password to the client in the response to populate the password text field.  As matthew stated in the beginning, "I am not trying to display the value.  I want the "Password Character" to be displayed ( A Bullet)", and in my case it was the same.  This article on CodeProject may help explain what is being attempted here (http://www.codeproject.com/KB/aspnet/KeepPassword.aspx), it's a way to provide a more rich and obvious user experience for modifying passwords without risking any security.

Basically, you take the actual value and mask it (I used the persisted hashed password in my scenario), and you pass the mask to the client in the password textbox.  On postback, you compare the user's input with the original mask to see if they modified the field, and if they did modify it, then you update the actual value with what was passed back from the client.

It works quite well and appears to be a fairly common requirement, searching around on the web comes up with quite a few results in blogs and forums, and it's not a 'hack', it's a practice. 

It sounds like Telerik has already made up their mind, although it appears to be on a misunderstanding, and I've gone ahead and used a standard ASP Textbox to get the desired result for password manipulation.   It's appreciated that Telerik goes to extra lengths to prevent their customers from designing websites that may compromise the end user's passwords, but I think it's important that it doesn't cripple the product, and it's disappointing to have to revert back to the standard textboxes to access a welcome and useful feature.
0
Dimo
Telerik team
answered on 26 Apr 2010, 11:25 AM
Hi Kevin,

Thank you for the clarification. So if I understand you correctly, you only want the password textbox to not delete its value client-side on page load. However, as stated above, this is required to prevent some values being preserved by the browser. You will need to insert a mask client-side by using the textbox' Load client event.

Greetings,
Dimo
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
0
Doug Beard
Top achievements
Rank 1
answered on 26 Apr 2010, 01:20 PM
No, I don't want the 'bullets' (mask), I want the password. 
Telerik's opinion I supppose, that under no circumstances should a password textbox send it's contents to the browser.
I respectfully disagree.

The misunderstanding here is the assumption that a password moded textbox is simply for passwords.  I work for a large banking software provider, there are MANY occassions when I should need to obscure the text of a textbox from view initially and be able to reveal it on demand.

I understand the security reasoning for not doing this in general.  A public website should never allow the password to be transmitted in plain text.  However, I argue that there are occassions in Web Applications when it is required to pass, the content of a password textbox to the client.  A simple switch property to enable or disable (disable by default obviously) this behavior is all that is required and quite easily implemented.

The discussion for me is moot, since I have developed my own solution.
0
Tony Velasquez
Top achievements
Rank 1
answered on 29 Apr 2010, 06:57 PM
If you go into any Windows Form application (SQL Server user configuration comes to mind) in the textbox where the password should be you see the bullets indicating a value exists. I know the actual password is not being stored in the textbox because the number of bullets do not match the number of characters in my configured password which the bullets represent.

It would be nice to be able to create a web application that can resemble a Windows Form application as closely as possible. Yes, we could code something like this ourselves, but it'd be nice if Telerik could provide an easy approach.

I tried to set the Empty Text setting for the textbox in password mode to XXXX from the server side if a value exists but it doesn't get displayed unless you focus then unfocus the input.

I was thinking of displaying a label with XXXX (similar to credit card websites) if the "password" exists and have either a lock or edit icon next to it which replaces the label with a blank textbox in password mode.

Any better ideas?
0
Kevin Kembel
Top achievements
Rank 1
answered on 29 Apr 2010, 08:49 PM
Hi Tony,

If you think you can use the bullets rather than 'XXXX', you can use the password textboxes.  This article should help:
http://www.codeproject.com/KB/aspnet/KeepPassword.aspx

Just be sure, as Dimo points out, that you don't send the actual protected value back to the client in the textbox, you'll want to mask it to fill in the field.  If you want to use the Telerik password textbox, as Dimo suggested, you'll have to insert the value into the textbox in a delay after load (because the value is blanked out in a Telerik password text when the page loads, regardless of any value explicitly set in the response).
0
Simon
Top achievements
Rank 1
answered on 05 Jan 2012, 12:04 PM
Hello

Try this section of code. It worked for me 100% even after reading all the other suggestions.

// Register Startup Script
ClientScript.RegisterStartupScript(
        this.GetType(),
        "Script",
        "setTimeout(\"window['txtPassword_text'].value = '" + Request.Cookies["AppName"]["Password"].ToString() + "';\", 500);" +
        "setTimeout(\"window['txtPassword'].value = '" + Request.Cookies["AppName"]["Password"].ToString() + "';\", 500);",
        true);

Regards,
Simon
0
SSirica
Top achievements
Rank 3
Iron
Iron
Iron
answered on 20 Mar 2012, 03:37 PM
Doug,

What did you come up with for a solution for this Password debacle?  I agree with you that there should be an override for this behavior.
0
Galin
Telerik team
answered on 23 Mar 2012, 10:58 AM
Hello Steve,

Have you found a solution for your issue?

In other case or further question arise please start a formal support ticket with possible attached sample project and we will address your question as necessary.

Greetings,
Galin
the Telerik team
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.
0
SSirica
Top achievements
Rank 3
Iron
Iron
Iron
answered on 23 Mar 2012, 12:30 PM
Yeah I was able to cobble something together.
0
darren
Top achievements
Rank 1
answered on 05 Sep 2012, 10:37 AM
Tags
Input
Asked by
Matthew
Top achievements
Rank 1
Answers by
Dimo
Telerik team
Matthew
Top achievements
Rank 1
Kevin Kembel
Top achievements
Rank 1
Shaikh Arif ul
Top achievements
Rank 1
Doug Beard
Top achievements
Rank 1
Tony Velasquez
Top achievements
Rank 1
Simon
Top achievements
Rank 1
SSirica
Top achievements
Rank 3
Iron
Iron
Iron
Galin
Telerik team
darren
Top achievements
Rank 1
Share this question
or