Re: Using a password field on a form

Ronen-Was-SRpro · ‎07-08-2018

Hi all,

A customer wants to have a password field on a form, do you have any suggestions about how to do that?

I'm asking since this is not a native type of form field (the characters should be hidden and sent to the system). I know it's possible by JS, but any specific ideas on how to do that properly?

Thanks,

Ronen

Ronen Wasserman

SanfordWhiteman · ‎07-08-2018

MktoForms2.whenReady(function(form) {
   var formEl = form.getFormElem()[0],
       passwordEl = formEl.querySelector("[name='YourPasswordFieldName']");
   
   passwordEl.setAttribute("type","password");
});

Bear in mind a type=password field doesn't do anything but hide characters from the end user (and people snooping over their shoulder). Has nothing to do with database storage.

View solution in original post

SanfordWhiteman · ‎07-08-2018

MktoForms2.whenReady(function(form) {
   var formEl = form.getFormElem()[0],
       passwordEl = formEl.querySelector("[name='YourPasswordFieldName']");
   
   passwordEl.setAttribute("type","password");
});

Bear in mind a type=password field doesn't do anything but hide characters from the end user (and people snooping over their shoulder). Has nothing to do with database storage.

Ronen-Was-SRpro · ‎07-08-2018

Thanks SW,

So JS, as I thought,

I wonder how this wasn't dealt before... I will open an idea about this...

Ronen Wasserman

Grégoire_Miche2 · ‎07-08-2018

The reason why it has not been dealt with before is because Marketo is not a safe place to store passwords (field values can be openly read by users and extracted from the database with a simple token in an email or a landing page) and Marketo offers no authentication mechanism (comparing the entered password to the stored value in order to grant access to something).

So the capturing a password in a Marketo form is very limited.

-Greg

Cecile_Maindron · ‎07-10-2018

Grégoire Michel we are planning to use a Marketo form to capture a password value (and have it confirmed by having a "confirm your password field") only to have it pushed through an API to another app - to create a Talend account - and then have it deleted - so not stored in Marketo more than 3 minutes. Is that also not safe to do that?

SanfordWhiteman · ‎07-10-2018

Proper password management requires that passwords never be stored in plaintext -- they must always be salted + hashed when at rest.

Not to say people don't break this rule all over the place, but you'd never pass an audit that way.

If the 3 minutes is truly on a timer (not a guess) it's not the worst thing in the world. Still, let's be clear on what happens when you "delete": it's not an actual byte-level purge. The data still exists in physical data and log files. If Marketo should be hacked within a few hours, or even days, of your delete operation you must assume the data will be available, depending on how deep the hack goes. At the very least you should set the field to hold a string of "0"s up to the max length of the password, not just set it to empty.

Grégoire_Miche2 · ‎07-10-2018

Bonjour Cécile,

In addition to Sanford's points, remember that the password will remain visible in the activity log for 90 days.

-Greg

SanfordWhiteman · ‎07-10-2018

Great point, Greg. That's an explicit log that wouldn't even take hacking the database logfiles.