: Is a "Show Password" option on login form safe? A website I use occasionally has had a recent overhaul and added a "Show" checkbox next to the password field on their login form. I understand
A website I use occasionally has had a recent overhaul and added a "Show" checkbox next to the password field on their login form. I understand why some ppl want these when they're actually typing their password in, but it seems like a security hole if you're using a password manager that fills your password.
In my case, the password is saved in Firefox's password manager which is in turn secured with a master password **. So, yes, someone else using Firefox on my computer temporarily can potentially log in to this site automatically, but I at least expect they can't actually see my current password.
However, with this new check box they can: I visited the site, went to the login form, which Firefox pre-filled with my password (obfuscated as a series of dots). Then I clicked on "Show" and sure enough my password was displayed in plain text.
Finally, if this is a security issue, what's a concise way to outline the problem to the web admin of the site? I'm not a web designer/admin myself.
** For the sake of this thread, let's not go into a big discussion about whether the Firefox password manager is a safe way to secure passwords. I use it only on my home and work computers which are rarely used by others. Also even if you think I should be using a more robust manager like LastPass, I think a similar vulnerability would exist if someone happens to sit at your computer while LastPass is logged in.
More posts by @Heady270
3 Comments
Sorted by latest first Latest Oldest Best
Apart from the obvious security issue of someone else being able to physically see what password you are typing - which the user would be aware of anyway - there are a few security "concerns" that could arise with how it is implemented and what (trustworthy) software is on the users system, that could potentially expose the password to third party apps/tools unnecessarily.
If the "show password" option simply changes the type of the input element to text then any browser plugins (or third party apps) that check spelling of text fields will now be active on the element. In Google Chrome this could involve sending the text to Google to "Ask Google for suggestions".
I also have a third party dictionary app installed that will lookup text under the mouse cursor. This doesn't work on password fields, but does on text fields.
Text fields are also copyable (potentially by a third party app), password fields are not.
Login forms shouldn't be autocomplete enabled anyway, but changing the type of the INPUT to text does potentially allow the password to be saved in the browser's autocomplete database (which is not necessarily secure), unless the INPUT is changed back to password before submission.
An alternative to changing the type of the password field is to "show the password" in a non-form element. This might be "safer".
In summary... it should be safe, but I think there are potential risks that the end user might not be aware of. But it is the end user that has to make the choice to "show password".
There is no inherent security issue with unmasking the password field per-sey. In the functional working of a site any method that can access form fields (such as server side posts or javascript) will still be able to access the data from the masked field without any effort at all. The masking of the password serves two functions. For one it prevents someone from simply looking over the shoulder of the user to see what their password is, and it is also a bit of security theatre, making the user feel that their password is secure whether or not it is particularly secure.
Having a checkbox that would allow you to unmask the password is not particularly a security issue as it would allow the end user to decide if they want to see the password that they have typed in and to make the decision as to if they are in a situation where they feel it is safe to have the password visible on the page or not.
The security of the password itself is more dependant on how the user stores the password (as in not written down anywhere), and if the connection from the browser to the server is secure (HTTPS) that the type of field used for the user to type in the password.
If we are ignoring everything else you mention, (i.e. shared computer, firefox saved passwords, etc.) the "show" password feature is, by itself, not a security risk. It is for convenience and the "everyday user". There is nothing stopping someone from using the build in browser inspector and changing it to an input type textbox from password. It serves the same purpose (showing the password) but without having to "modify" the HTML. I do it all the time on sites that don't have that 'feature'. A textbox of type password only masks the letters on the UI.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.