Password value visible with Inspect

  1. #1

    Password value visible with Inspect

    Ext.Net 4.5.1

    User control containing a password field. The value of the password is visible when right-clicking and choosing Inspect (Google Chrome 66)


    <%@ Page Language="C#" %>
    <%@ Register Src="UserPassword.ascx" TagName="UserPass" TagPrefix="uc" %>
    <script runat="server">
       protected void Page_Load( object sender, EventArgs e )
          if ( !X.IsAjaxRequest )
       public void BindUser()
          userPass1.UserName = "AliBaba";
          userPass1.Password = "OpenSesame";
    <!DOCTYPE html>
    <html xmlns="">
    <head runat="server">
       <title>Password inspect bug</title>
       <form id="form1" runat="server">
          <ext:ResourceManager runat="server" />
             Title="Customer Details"
                <ext:Panel ID="panel1" runat="server" Header="false" Layout="FitLayout">
                      <uc:UserPass ID="userPass1" runat="server"></uc:UserPass>

    <%@ Control Language="C#" %>
    <script runat="server">
       public string UserName
          get { return this.txtUser.Text; }
          set { this.txtUser.Text = value; }
       public string Password
          get { return this.txtPassword.Text; }
          set { this.txtPassword.Text = value; }
    <ext:Panel ID="panel1" runat="server" BodyPadding="5" Layout="AnchorLayout">
          <ext:Panel ID="panel2" runat="server" Border="false" Header="false" AnchorHorizontal="100%" Layout="FormLayout">
                <ext:TextField ID="txtUser" runat="server" FieldLabel="User" />
                <ext:TextField ID="txtPassword" runat="server" FieldLabel="Password" InputType="Password" />
    Are there any known workarounds?
  2. #2

    I'm afraid this is rather a browser limitation, not Ext.NET's. You can see discussions and some suggestions here. There may be specific solutions using 3rd party ASP.NET libraries (or maybe native ASP.NET authorization tracking features) to keep users from finding passwords.

    - Prevent user to find password through Firebug/Chrome Dev Tools

    Browser-wise, maybe a good option at least to hinder the attack (as brute-force reverse engineering of the hashed string may still be possible -- but time-consuming), would be to bind the password field and replace its contents with an obfuscated/hashed password that you can translate. Such options go beyond Ext.NET scope but are discussed at least in the topic in the link above.

    That's probably one of the reasons why some services like Google and GitHub offers 2-factor authentication.

    Hope this helps!
    Fabrício Murta
    Developer & Support Expert
  3. #3
    Thanks Fabrício!

Similar Threads

  1. [CLOSED] Password fields TextField saves the password
    By ucaneto in forum 2.x Legacy Premium Help
    Replies: 1
    Last Post: Oct 29, 2014, 3:38 PM
  2. Replies: 2
    Last Post: Oct 07, 2013, 10:48 PM
  3. Implement a Password Meter to a Password Field
    By sudantha in forum 1.x Help
    Replies: 1
    Last Post: Jan 15, 2012, 6:59 AM
  4. Replies: 1
    Last Post: Nov 22, 2011, 6:57 PM
  5. password confirm
    By maxdiable in forum 1.x Help
    Replies: 3
    Last Post: Aug 19, 2010, 3:07 PM

Tags for this Thread

Posting Permissions