Preventing a common security problem with login forms
by Matthew James Taylor on 7 October 2007
I've seen this mistake so many times, I find it quite annoying but it's also a potential security risk, let me explain...
How it works (or doesn't)
- The user navigates to the login page;
- The HTML of the page appears including the login form (but the images on the page haven't loaded yet);
- The user clicks in the username field and types their username;
- They press 'Tab' to jump down to the password field;
- About this time the images on the page finish loading and focus is set back on the username field;
- As they type, the password now appears in the username field by mistake;
- If anyone is watching, the password security has been compromised!
I have found this problem on some pretty major websites; Digg and Network Solutions are good examples (by good I mean bad). I alerted Network Solutions to the problem months ago but it still hasn't been fixed. It seems security is not a priority for them.
So what can be done to fix the problem?
Follow me on Twitter @mattjamestaylor
Enjoy this article?
If you find my website useful, feel free to donate any amount you wish. It will help pay for my hosting! =)