ASP.Net MVC3 Html.PasswordFor does not populate

Question

In my view I have the following element

  @Html.PasswordFor(model => model.Password)

This is on a screen that creates/updates user details. When I am trying to update the user this field remains blank. When I change this element to a TextBoxFor it gets the data. How do I get to populate the Password field.

If you have the user's password to be able to put in the box, you have committed an (almost) unforgivable evil. — SLaks
– SLaks, Commented Apr 12, 2011 at 23:50
I think a valid case for this is if you want the password field to show dots or no dots to indicate whether a password already exists or not. When populating your model you could say model.Password = String.IsNullOrEmpty(user.Password) ? "" : "********";, but PasswordFor won't use the value. So you can't give an indication of whether a value exists. — xr280xr
– xr280xr, Commented Aug 25, 2017 at 19:49

matmat · Accepted Answer · 2011-07-07 02:54:38Z

162

As described above, it is better to avoid doing this for security reason. if you still want to persist the password so that you proceed from where the current validation failed, you can use the HTML helper with html attribute parameter:

     Html.PasswordFor(x => x.Password, new { value = Model.Password})

answered Jul 7, 2011 at 2:54

matmat

2,4165 gold badges20 silver badges23 bronze badges

Sign up to request clarification or add additional context in comments.

7 Comments

Stian Over a year ago

this answer is actually answering the question!

Ted Over a year ago

It's bad because your password is then cached client-side.

brouckaertd Over a year ago

I worked with a dummy password. After submitting the dummy password a check makes sure the dummy password isn't saved to the database

cwharris Over a year ago

It is telling that the majority of upvotes for this question go to the answer which introduces a security vulnerability in to an application. I urge each of you to condsider: Do you truly need to display a password? What flaw in your security requires you to display a password in any way? Would you trust an application which was able to reproduce your password and show it back to you? I truly hope not, but perhaps that is why identity theft is such a large problem. When you're dealing with passwords, you are dealing with people's livelihood in quite a literal way.

knickum Over a year ago

I think one thing a number of people like Christopher Harris are skipping over is that "password fields" are not only used for user passwords. I might not want to show a password or token string back on display, but I do want or need to store it unhashed.

|

cwharris · Accepted Answer · 2011-04-13 02:39:37Z

39

This is as designed. Passwords are not filled to prevent accidental resubmits, and to prevent the page from containing unencrypted passwords. Obviously the password was wrong to begin with if you're posting back the credentials.

In your case, you could create an extension that does input the data, or just use an HTML input of type password.

edited Apr 13, 2011 at 2:39

answered Apr 12, 2011 at 23:41

cwharris

18.2k4 gold badges46 silver badges64 bronze badges

Comments

bkaid · Accepted Answer · 2011-04-13 00:01:17Z

7

MVC protects you from doing something like this for a reason. You shouldn't actually be able to do this because the users password should not be stored unencrypted and unhashed. If your goal is to end end up on http://plaintextoffenders.com/ though, you can do something like:

<input type="password" name="Password" id="Password" value="@Model.Password" />

answered Apr 13, 2011 at 0:01

bkaid

52.2k23 gold badges115 silver badges128 bronze badges

1 Comment

Code Monkey Over a year ago

regarding plaintextoffenders, nice site but their "comments" section text is barely visible. check this out:plaintextoffenders.com/about .. maybe it's a pun?!

Ilan Olkies · Accepted Answer · 2017-06-09 14:51:23Z

1

I found this workaound. I needed my password shown in the form:

@model User
@{
    @Html.Label(Model.Username, new { @class = "label" })
    @Html.TextBoxFor(Model => Model.Username, new { @class = "form-control" })

    @Html.Label(Model.Password, new { @class = "label" })
    @Html.TextBoxFor(Model => Model.Password, new { @class = "form-control make-pass" })
}

<script type="text/javascript">
    $(".make-pass").attr("type", "password");
</script>

This will make your input password-type without losing the value.

answered Jun 9, 2017 at 14:51

Ilan Olkies

4535 silver badges10 bronze badges

1 Comment

Ilan Olkies Over a year ago

It's cool! You can put the script in your Site.js and use it in any password (that was my requirement)

EricDG · Accepted Answer · 2020-03-02 09:50:00Z

0

As mentioned before, its by design. But that can be wrong. We just got a new user who was confused by the empty password after the page refresh when he just added a password. So a simple fix is to change the label 'Password' to 'New password'. Now its clear why this input box is always empty.

answered Mar 2, 2020 at 9:50

EricDG

1

Comments

Mantisimo · Accepted Answer · 2020-11-23 17:41:38Z

0

If you're using asp-for attribute you can also do:

<input type="password" placeholder="@(Model.Password != null ? String.Concat(Model.Password.ToCharArray().Select(p=>"*")) : "Password")" asp-for="Password">

answered Nov 23, 2020 at 17:41

Mantisimo

4,2835 gold badges39 silver badges55 bronze badges

Collectives™ on Stack Overflow

ASP.Net MVC3 Html.PasswordFor does not populate

6 Answers 6

7 Comments

Comments

1 Comment

1 Comment

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

6 Answers 6

7 Comments

Comments

1 Comment

1 Comment

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related