Hi all,
A customer wants to have a password field on a form, do you have any suggestions about how to do that?
I'm asking since this is not a native type of form field (the characters should be hidden and sent to the system). I know it's possible by JS, but any specific ideas on how to do that properly?
Thanks,
Ronen
Solved! Go to Solution.
MktoForms2.whenReady(function(form) {
var formEl = form.getFormElem()[0],
passwordEl = formEl.querySelector("[name='YourPasswordFieldName']");
passwordEl.setAttribute("type","password");
});
Bear in mind a type=password field doesn't do anything but hide characters from the end user (and people snooping over their shoulder). Has nothing to do with database storage.
MktoForms2.whenReady(function(form) {
var formEl = form.getFormElem()[0],
passwordEl = formEl.querySelector("[name='YourPasswordFieldName']");
passwordEl.setAttribute("type","password");
});
Bear in mind a type=password field doesn't do anything but hide characters from the end user (and people snooping over their shoulder). Has nothing to do with database storage.
Thanks SW,
So JS, as I thought,
I wonder how this wasn't dealt before... I will open an idea about this...
The reason why it has not been dealt with before is because Marketo is not a safe place to store passwords (field values can be openly read by users and extracted from the database with a simple token in an email or a landing page) and Marketo offers no authentication mechanism (comparing the entered password to the stored value in order to grant access to something).
So the capturing a password in a Marketo form is very limited.
-Greg
Grégoire Michel we are planning to use a Marketo form to capture a password value (and have it confirmed by having a "confirm your password field") only to have it pushed through an API to another app - to create a Talend account - and then have it deleted - so not stored in Marketo more than 3 minutes. Is that also not safe to do that?
Proper password management requires that passwords never be stored in plaintext -- they must always be salted + hashed when at rest.
Not to say people don't break this rule all over the place, but you'd never pass an audit that way.
If the 3 minutes is truly on a timer (not a guess) it's not the worst thing in the world. Still, let's be clear on what happens when you "delete": it's not an actual byte-level purge. The data still exists in physical data and log files. If Marketo should be hacked within a few hours, or even days, of your delete operation you must assume the data will be available, depending on how deep the hack goes. At the very least you should set the field to hold a string of "0"s up to the max length of the password, not just set it to empty.
Bonjour Cécile,
In addition to Sanford's points, remember that the password will remain visible in the activity log for 90 days.
-Greg
Great point, Greg. That's an explicit log that wouldn't even take hacking the database logfiles.