How to display user password as asterisk (*)

Hi,

I've a user logged in area and want them to view their account information in the settings.php.
However, how do I display the user's password as asterisk (*) e.g. Your Password: ******* like on facebook.com setting area so they can change or manage it.

Thanks

 

HTML:
<input type=password>

or

PHP:
$hidden_password = preg_replace("|.|","*",$real_password);

 

Thanks the preg_replace("|.|","*",$real_password); works perfectly.

 

For the record, it's bad to store the plain text password in your database. You should be hashing it.

If you really want to show the right number of asterisks, you could create a column that stores how long the user's password is

 

Agreed on the above. There's no reason you should ever store passwords in plain text. There's no reason a person needs to see their existing password. Use a function to reset the password if they forget it or need to change it. Store passwords using MD5 or SHA1 and a unique salt.

 

md5 and sha1 are actually pretty bad choices, there's much better algorithms available;

http://www.php.net/manual/en/function.hash.php

 

SHA-1 is currently the NIST / DOD standard. It's a very fast hashing mechanism. The only faster are MD5 and lesser hashes. There's no reason to use a more complex method for hashing something as small and simple as a password.

 

the faster the algorithm the easier to crack, think about it. Using MD5 for hashing your passwords is basically like not hashing them at all these days anyways

 

If you use a salt, MD5 is still effectively unbeatable. Without knowing the salt, there's no way to utilize a rainbow table. Even if you accidentally found a known hash, the original value still wont work, because it will be salted before being hashed. This is why adding a salt to all hashed functions is necessary. SHA-1 just decreases the likelihood of having a hash collision by increasing the output bits from 128 to 160. There are hashes that don't have collisions, but if it's good enough for current DOD usage, there's no reason to reinvent the wheel.

 

You can use something like MD5( SHA1( 'password' ) ).

 

That's not what security is.

And yes, by all means I agree about salts.