I think common practice is to leave password fields blank after a login failure so the password must be re-entered.
In any case, I cannot replicate either behavior you describe using the standard web2p Auth forms. When I have a failed login, the entire login form is reloaded emtpy. When I enter the second password incorrectly on a register form, the form reloads, and I only have to correct the second password, not re-enter the first. Can you show the code you are using for your forms? Anthony On Friday, July 25, 2014 9:32:03 AM UTC-4, Louis Amon wrote: > > We’re all developers here so I couldn’t agree more. > > Still, I’m running a commercial website so I’m a slave to what my users > want. > As far as my customers are concerned, security comes second after ease of > use… > > Anyway, you have to admit that the examples I gave in the first post are > misleading in terms of user experience, right ? > > Isn’t there a way to improve it without compromising security too much ? > I can see one : erasing input fields after each validation failure (blank > fields are less misleading). Do you see other ? > > > Le 25 juil. 2014 à 15:19, Willoughby <neil.erik...@gmail.com> a écrit : > > A simple google search will yield people complaining about their host > accounts getting hacked on airbnb. > Just because someone or something large 'does it that way' doesn't mean > it's a best practice! > > On Friday, July 25, 2014 9:08:00 AM UTC-4, Louis Amon wrote: >> >> I don’t see much of a security threat here. >> What’s the worst-case scenario ? >> >> If you take a look at airbnb.com <http://www.airbnb.com/>, their >> registration form keeps your typed password even if you fail validation on >> other fields. >> >> If a website that big can do it then surely my small website will pull >> though, don’t you think ? >> >> Le 25 juil. 2014 à 14:47, Niphlod <nip...@gmail.com> a écrit : >> >> so you really want the webpage to return the actual password instead of >> asterisks ? it's a big security risk, no matter what user experience >> says..... >> >> On Friday, July 25, 2014 10:53:40 AM UTC+2, Louis Amon wrote: >>> >>> I'm trying to improve user exprerience on my website and I noticed a >>> rather annoying behavior on password fields : >>> >>> If I type a password longer than 8 characters and somehow my form fails >>> (some other field didn't validate), my password gets replaced by "********" >>> in request.vars.password. >>> >>> For example : >>> I try to login and misstype my username --> login form fails. >>> I correct the mistake in the username and press the submit button again >>> --> login still fails, because the password got replaced by '*********' >>> under the hood. >>> >>> Another example: >>> I try to register and type my password but mistyped my password >>> verification (password_two) --> register form fails. >>> I focus the password_two field and retype my password --> register still >>> fails because the original password field got replaced... >>> >>> This behavior is extremely frustrating for users as they can't print >>> request.vars.password like a developper would. All they see is obfuscated >>> passwords. >>> I cannot have this on my commercial website. >>> >>> >>> Is there any way to fix this ? >>> >> >> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "web2py-users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> web2py+un...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> >> > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to a topic in the > Google Groups "web2py-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > web2py+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.