Click here to Skip to main content
12,950,832 members (57,601 online)
Click here to Skip to main content
Articles » Web Development » ASP.NET » Howto » Downloads


34 bookmarked
Posted 24 May 2007

How-to safely keep a password field during postbacks and why it shouldn't be done

, 31 May 2007
Think of this article as a beginner's guide to think about design and security when solving problems.
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;

public partial class _Default : System.Web.UI.Page 
    //PasswordMask need to be passwordMaxSize+1 to detect that changes occured. On modern windows system (post windows 98 versions), passwords can be up to 128 characters.
    //setting mask to 129 '*' characters
    //remember that 128 '*' characters is a valid windows password! 
    //so setting txtPassword maxlength to 128 hinders the user from entering a password that matchs the mask.
    protected const string PasswordMask = "*********************************************************************************************************************************";
    protected string TypedPassword
            if (ViewState["TypedPassword"] != null)
                return Convert.ToString(ViewState["TypedPassword"]);
            return null;
            ViewState["TypedPassword"] = value;

    protected void Page_Load(object sender, EventArgs e)
        //detect if password was changed. if filled and not equal to mask, it is new
        if (txtPassword.Text.Trim().Length > 0 && txtPassword.Text != PasswordMask)
            TypedPassword = txtPassword.Text;
            txtPassword.Attributes.Add("value", PasswordMask);
        txtPassword.Attributes.Add("onclick", "Clear_Password('" + txtPassword.ClientID + "')");

        if (!ClientScript.IsClientScriptBlockRegistered("Clear_Password"))
            ClientScript.RegisterClientScriptBlock(typeof(string) ,"Clear_Password", "function Clear_Password(id){ try{document.getElementById(id).value = '';} catch(ex){/* do nothing */} }", true);
    protected void btnPostBack_Click(object sender, EventArgs e)
        string user = txtUser.Text;
        string password = TypedPassword;

        //save to database or do whatever work needed with user/password
        //remember that it can be null if not specified, so test for it!
        lblTypedUser.Text = user;
        lblTypedPassword.Text = password;

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.


This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


About the Author

Roberto Colnaghi
Software Developer
United States United States
I'm a passionate developer and videogame player.
Been in touch with Objective-C, Javascript, C#, C, Guild Wars 2, Tera and many more.

Javascript is one of my favorite languages.

You may also be interested in...

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.170525.1 | Last Updated 31 May 2007
Article Copyright 2007 by Roberto Colnaghi
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid