ASP.NET Hide Length of Password During Entry

I have to hide the length of the password being entered during login of my asp.net web application. I know the asp.net textbox ser开发者_JS百科ver control has the textmode of password but I can't even show the that. Any suggestions on how to hide the user input?

<input type="password" name="password" style="color:White;"/>

seems close to your requirement but some browsers highlight input fields with yellow when you are in them. Setting the font size to 1px is another trick you could try.

But easiest might be to instead use z-index to put an image or colored DIV on top of the password field. Maybe an animated gif with a line of * characters that grows and shrinks randomly would be best - would totally confuse onlookers! :-)

How the user even knows the field is selected is another issue you'll have, maybe some extra javascript to detect and tell them that.

If you must (which I agree with @Ando that you shouldn't due to UI issues), I would use javascript (onkeydown) to copy each character to a hidden input field, and remove the key entered in the box.

This would allow you to retrieve the password on postback, while keeping the input field empty for the user.

Of course, if the user presses arrow keys, delete or backspace, you would have to decide how to handle that.

Hiding the length of the input seems like a really really bad UI idea from the users perspective, and you should argue that the specification should be changed.

While, I also agree with everyone else that is a bad idea I understand that some times you have to do things you disagree with.

I would have suggested what Mikael did but he already did it. :)
To recap:

I would use javascript (onkeydown) to copy each character to a hidden input field, and remove the key entered in the box.

This would allow you to retrieve the password on postback, while keeping the input field empty for the user.

Of course, if the user presses arrow keys, delete or backspace, you would have to decide how to handle that.

You've said:

My issue with using Javascript and storing in a hidden field is the user viewing the source of the page and seeing it.

I'm pretty sure that viewing the source should only show you what was originally downloaded not what the user has entered. However, there are tools (i.e. firefox addons) that can do this. You could store the value in a javascript varible and only put the password in the hidden field when it is posted or use some sore of ajax request to authenticate. However, With the right addons someone could find this as well.

If the issue is someone looking over the shoulder of the person logging in then these concerns (i.e. viewing source) won't matter unless the person who is logging in decides to view the source and show the person in which case it would just be easier for him to tell the other person his password.

Agreeing that its not the best idea...

1) When you start typing, on each key press, restrict a specific character from being entred as part of a password (eg pipe) then when the user types, add a ramdom number of pipes (eg between 0 and 4 pipes) then just remove these server-side?

2) Add these to a hidden field...if the user does a View_Source, they will only see the original value of the field, ie will be empty...just remember to clear the value if you need to depending on how its rendered (asp.net webform hidden field control) etc

3) Have 2 password boxes that need 2 passwords (just as bad an idea)

I confirmed the requirement with a security officer and apparently I miss read the requirement. However, I have seen Windows based applicatiosn perform this. The cursor moves on each key stroke but no star, asterik or bar is used. Thanks to everyone for theie suggestions and comments.