Why is it customary to clear the password field when an incorrectly filled form?

C

Cat Anton2014-12-01 13:47:00

Information Security

Cat Anton, 2014-12-01 13:47:00

On many sites, I would even say almost all, you can observe the following when trying to register:
1. The user enters, for example, email and password, sends data to the server.
2. If there is an error, for example, the email is already taken, then the password field is cleared.
As a result, the user has to not only correct the error in the email, but also re-enter the password, and sometimes also fill in the "Repeat password" field, which is terribly annoying.
It is obvious that this clearing of the user's password is done for security reasons.
What is the danger of leaving a previously entered password?
How can such a vulnerability be exploited?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Armenian Radio, 2014-12-01
@27cm

If the registration form is reloaded from the server, and the password was sent correctly (not the password itself, but its hash is sent), the server simply does not know how to fill in this field.
If the submission occurs without reloading the page (using ajax), I see no reason to irritate the user.
It is best when registration occurs over HTTPS and using ajax.