cj13579
September 9th, 2010, 09:55 AM
Hi all,
Before I start with my problem, may I give you a little backfround info...
At work we hire a security firm who every so often scan our routers for security holes etc and provides us with fixes. This isn't a human system but rather one that just emails us a report with links to their site for the fixes.
Anyways, on it's latest search it has come back, rightly, saying that one of our sites uses plain text HTML pasword fields which are insecure. My problem is, the system isn't clever enough for us to tell it to ignore that site/port and according to the powers that be within my firm the data is sensetive enough for them to want keep the login system but the data is not sensetive enough for them to want to fork out for the HTTPS certificate fees which the Security system is saying is what we will have to do to pass the tests. Also, self-signing isn't really an option.
I can beat the test by just setting the input type to be "text" instead of "password", which the system just sees as a non-intrusicve form but it doesnt look particularly pretty!!
So, I was wondering, is there a way to use Javascript or something to dynamically mask the field with a "-", "*", dot or anything else?
You help as always is much appreciated!
Regards
Chris
Before I start with my problem, may I give you a little backfround info...
At work we hire a security firm who every so often scan our routers for security holes etc and provides us with fixes. This isn't a human system but rather one that just emails us a report with links to their site for the fixes.
Anyways, on it's latest search it has come back, rightly, saying that one of our sites uses plain text HTML pasword fields which are insecure. My problem is, the system isn't clever enough for us to tell it to ignore that site/port and according to the powers that be within my firm the data is sensetive enough for them to want keep the login system but the data is not sensetive enough for them to want to fork out for the HTTPS certificate fees which the Security system is saying is what we will have to do to pass the tests. Also, self-signing isn't really an option.
I can beat the test by just setting the input type to be "text" instead of "password", which the system just sees as a non-intrusicve form but it doesnt look particularly pretty!!
So, I was wondering, is there a way to use Javascript or something to dynamically mask the field with a "-", "*", dot or anything else?
You help as always is much appreciated!
Regards
Chris