SOLVED

Using a password field on a form

Go to solution
Ronen-Was-SRpro
Level 6

Using a password field on a form

Hi all,

A customer wants to have a password field on a form, do you have any suggestions about how to do that?

I'm asking since this is not a native type of form field (the characters should be hidden and sent to the system). I know it's possible by JS, but any specific ideas on how to do that properly?

Thanks,

Ronen

Ronen Wasserman
Tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator

Re: Using a password field on a form

MktoForms2.whenReady(function(form) {

   var formEl = form.getFormElem()[0],

       passwordEl = formEl.querySelector("[name='YourPasswordFieldName']");

  

   passwordEl.setAttribute("type","password");

});

Bear in mind a type=password field doesn't do anything but hide characters from the end user (and people snooping over their shoulder). Has nothing to do with database storage.

View solution in original post

7 REPLIES 7
SanfordWhiteman
Level 10 - Community Moderator

Re: Using a password field on a form

MktoForms2.whenReady(function(form) {

   var formEl = form.getFormElem()[0],

       passwordEl = formEl.querySelector("[name='YourPasswordFieldName']");

  

   passwordEl.setAttribute("type","password");

});

Bear in mind a type=password field doesn't do anything but hide characters from the end user (and people snooping over their shoulder). Has nothing to do with database storage.

View solution in original post

Ronen-Was-SRpro
Level 6

Re: Using a password field on a form

Thanks SW,

So JS, as I thought,

I wonder how this wasn't dealt before... I will open an idea about this...

Ronen Wasserman
Grégoire_Miche2
Level 10

Re: Using a password field on a form

The reason why it has not been dealt with before is because Marketo is not a safe place to store passwords (field values can be openly read by users and extracted from the database with a simple token in an email or a landing page) and Marketo offers no authentication mechanism (comparing the entered password to the stored value in order to grant access to something).

So the capturing a password in a Marketo form is very limited.

-Greg

Cecile_Maindron
Level 10

Re: Using a password field on a form

Grégoire Michel​ we are planning to use a Marketo form to capture a password value (and have it confirmed by having a "confirm your password field") only to have it pushed through an API to another app - to create a Talend account - and then have it deleted - so not stored in Marketo more than 3 minutes. Is that also not safe to do that?

SanfordWhiteman
Level 10 - Community Moderator

Re: Using a password field on a form

Proper password management requires that passwords never be stored in plaintext -- they must always be salted + hashed when at rest.

Not to say people don't break this rule all over the place, but you'd never pass an audit that way.

If the 3 minutes is truly on a timer (not a guess) it's not the worst thing in the world. Still, let's be clear on what happens when you "delete": it's not an actual byte-level purge. The data still exists in physical data and log files. If Marketo should be hacked within a few hours, or even days, of your delete operation you must assume the data will be available, depending on how deep the hack goes. At the very least you should set the field to hold a string of "0"s up to the max length of the password, not just set it to empty.

Grégoire_Miche2
Level 10

Re: Using a password field on a form

Bonjour Cécile,

In addition to Sanford's points, remember that the password will remain visible in the activity log for 90 days.

-Greg

SanfordWhiteman
Level 10 - Community Moderator

Re: Using a password field on a form

Great point, Greg. That's an explicit log that wouldn't even take hacking the database logfiles.