What is the security in using input "password" or "text"?

Question

What is the security in using input "password" or "text"?

Asked 7 years, 9 months ago

Viewed 478 times

7

Recently we are on a wave to use the combination of input of passwords with the option to hide/display the password (*** -> abc), with the "eye" technique. I understand this purpose as it greatly improves the side of UX of the application.

I know one of the reasons to use type="password" would hide the password from the "curious" eyes around. But other than that, I’d like to know if there’s any deeper security issues that might involve the input and the password itself.

Because if there is, we should make the user change back the input for the guy password before sending any information.

4

It is only to hide the password even, has absolutely no extra benefit of security. So much so that you can take the full text of the password with javascript, or simply change its type to text by the element inspector.

– Neuber Oliveira

2016/09/09 at 12:02
In addition to the points cited by @Neuberoliveira there is also one more thing, when the field is to type password, it is impossible to copy the content using Ctrl + C (at least on Linux and Windows). But as he said himself, it is possible to capture the content using Javascript.

– Avelino

2016/09/09 at 20:52

1 answer

Browser other questions tagged html input security-guard passwords

You are not signed in. Login or sign up in order to post.

by Maniero • **444,682** points · Answer 1 · 2016-09-09T12:04:51+00:00

Zero!

It’s just what’s in the question anyway, it hides the password when typing and nothing else.

If the computer is infected with something, it will read the password normally. And there is nothing to do about it. I have seen tried (cof cof banks) to do things to solve this and are innocuous.

Needless to say, sending is not worth anything either. Only HTTPS solves this issue and solves it well, of course if used correctly. Just don’t expect that HTTPS solves all kinds of existing attacks.

Remember that everything that goes to the customer is out of your control and can be observed and even changed without you knowing, so we say that you can’t trust anything that comes from the customer: Using client validation is sufficient?.

Even using HTTS, you can only trust that the information has not been observed and tampered with in shipping, can not guarantee that it was not tampered with before it was sent, much less observed.