Pitfalls when rolling your own "show password" functionality

Does placing a plaintext password in a text input run the risk of the password being scraped by malicious plugins?

Malicious plugins can scrape any form data, password fields included, or even log it before it is being written. So changing the type makes no difference here.

In general, there is no point in trying to defend against malicious browser plugins. If your user has one, it's game over.

Specifically, do modern browsers implement any security mechanisms around password-type inputs besides the visual obfuscation using dots?

Password fields have autocomplete turned off by default. To prevent the browser from saving the password and potentially leaking them as suggestions later, you must make sure to explicitly set autocomplete="off" on the input field. This should deal with both suggestions while typing, and autofilling previous state e.g. when using the back button.

There might be older browsers who ignores autocomplete="off" - who knows, browsers used to do all sorts of stupid things - but I doubt that is a large percentage. Still, could be an issue.

The presence of a password field makes some browsers warn more aggressively about unencrypted connections. So using text fields instead could mute the warnings, which is bad. But if you are using TLS with HSTS that shouldn't be an issue.

Also, it might mess with password managers (both the browsers built in, and external). But that is more a usability than a security issue.

Does the above link reflect the current industry best practice for this kind of functionality?

Aside from the autocomplete issue, I think this would be fine as long as you are OK with the inherent risk of shoulder surfing. Who knows what I have overlooked, though.

Since you say "industry best practice" I have to mention that manipulating the DOM directly like that isn't really how it's usually done anymore, but that has nothing to do with security.

To be honest though, I have to admit that I am no big fan of this functionality. It feels a bit hacky. I would recommend against implementing it unless you have very specific reasons to do so. That is based more on my gut feeling (and a general aversion to non essential features) than anything else, though.

The biggest threat, by far, is the autocomplete feature. Make sure the browser does not save the password in the autocomplete history.

  1. Yes - however, it's difficult to account for this, since those malicious plugins could inject the JS themselves to change the password fields into text fields.
  2. AFAIK, the browsers don't do anything special with the Password fields other than prevent the characters from reading to the screen, and preventing autocomplete from saving the contents (although not the built-in password manager).
  3. I'm fairly certain Industry Best Practice (TM) would be to not do this at all, but as long as you ensure that you are aware of the risks, you can do it safely.

Look at this Stack Overflow question.