Is a "Show Password" option on login form safe?

Apart from the obvious security issue of someone else being able to physically see what password you are typing - which the user would be aware of anyway - there are a few security "concerns" that could arise with how it is implemented and what (trustworthy) software is on the users system, that could potentially expose the password to third party apps/tools unnecessarily.

If the "show password" option simply changes the type of the input element to text then any browser plugins (or third party apps) that check spelling of text fields will now be active on the element. In Google Chrome this could involve sending the text to Google to "Ask Google for suggestions".

I also have a third party dictionary app installed that will lookup text under the mouse cursor. This doesn't work on password fields, but does on text fields.

Text fields are also copyable (potentially by a third party app), password fields are not.

Login forms shouldn't be autocomplete enabled anyway, but changing the type of the INPUT to text does potentially allow the password to be saved in the browser's autocomplete database (which is not necessarily secure), unless the INPUT is changed back to password before submission.

An alternative to changing the type of the password field is to "show the password" in a non-form element. This might be "safer".

In summary... it should be safe, but I think there are potential risks that the end user might not be aware of. But it is the end user that has to make the choice to "show password".


If we are ignoring everything else you mention, (i.e. shared computer, firefox saved passwords, etc.) the "show" password feature is, by itself, not a security risk. It is for convenience and the "everyday user". There is nothing stopping someone from using the build in browser inspector and changing it to an input type textbox from password. It serves the same purpose (showing the password) but without having to "modify" the HTML. I do it all the time on sites that don't have that 'feature'. A textbox of type password only masks the letters on the UI.


There is no inherent security issue with unmasking the password field per-sey. In the functional working of a site any method that can access form fields (such as server side posts or javascript) will still be able to access the data from the masked field without any effort at all. The masking of the password serves two functions. For one it prevents someone from simply looking over the shoulder of the user to see what their password is, and it is also a bit of security theatre, making the user feel that their password is secure whether or not it is particularly secure.

Having a checkbox that would allow you to unmask the password is not particularly a security issue as it would allow the end user to decide if they want to see the password that they have typed in and to make the decision as to if they are in a situation where they feel it is safe to have the password visible on the page or not.

The security of the password itself is more dependant on how the user stores the password (as in not written down anywhere), and if the connection from the browser to the server is secure (HTTPS) that the type of field used for the user to type in the password.

Tags:

Forms

Security

Password

Related

Does Google count a text only link as a backlink? How do you get Google to show wiki information about your site in the right side bar of the search results? Does Google index #! (hash bang) URLs? A page has been removed from Google due to DMCA, are its inbound links still valuable? How do I get my site verified such that it shows a green box in Chrome's address bar? .htaccess how to redirect the contents of a directory to a subdirectory What's the difference between "landing page" and "starting page" in Behaviour Flow? Does text-shadow CSS affect SEO ranking by risking a cloaking penalty? Why create a fake duplicate / clone website? Can keywords in the URL path be separated by commas for Google? How does smart DNS proxy work? What are the friendly/rich URLs in Google Search result snippets called?

Recent Posts