Skip to content
Advertisement

Preventing passwords showing in source code

I am doing a password manager web app (like LastPass etc), one of the things that has occurred to me is that after using PHP to retrieve the passwords from a db and decrypting them and then using JS to display them in the UI, the variables containing their passwords are visible if someone looks at the source code. Even if I did not use JS and used echo instead it would still be in the source code. Does anyone know of a, hopefully not too complex, way that can prevent the passwords from being in the source code?

Advertisement

Answer

If you’re talking about the HTML source code, this is normal. But there is a few way to avoid it:

  • If you just want not to have it in your HTML when it is received by the user, then you can implement it via an Ajax request in javascript, to update the DOM with the text.
  • If you want that when the user do inspect on the page he doesn’t see the password you can use an input and set in javascript the value of it. then you set the input as disabled so the user cannot modify it. You can even change the type as password when needed so it’s displayed as ****** when you want to hide it.
  • Another way could be to add in javascript a css :after and tu put the value inside it. But it will still be visible somewhere I think.
User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement