Menu
In the html of client side. If we change the type="password" into type="text", the password is displayed as plain text in browser. Is there any security issue about this? If it is, what is the solution to this issue?
Example as follows:
type="password"
type="text"
682
Using <input type="password"> on web pages with the HTTP protocol is unsafe because hackers can steal user data. User data protection is provided by using the HTTPS protocol.
<input type="password"> <input> elements of type password provide a way for the user to securely enter a password.
ⓘ input type=password – password-input field The input element with a type attribute whose value is " password " represents a one-line plain-text edit control for entering a password.
There are two rather different security issues involved.
One of them is the one so often mentioned as a reason for using input type=password: to protect the user against prying eyes. This is seldom relevant, since passwords are normally typed (and should be typed) so that there is nobody else looking at your screen or your hands.
The other one is different treatment of input type=text and input type=password by browsers in their histories and in using previously entered data as defaults or as selectable options. This varies by browser, but quite often, input type=text causes an automatic prefill if data has previously been entered in a field with the same name. Using the autocomplete=off attribute usually prevents this in modern browsers. On the other hand, browsers may store username/password pairs to make frequent visits to a site more comfortable; this can be an essential usability improvement and an essential security threat. It is typically based on recognizing a pair of input type=text and input type=password.
You could leave the decision to the user by offering both options. Perhaps the least distract way to do that is to have an input type=password with a checkbox “Show password when typed”, JavaScript-driven of course, which when checked turns type=password to type=text.
There is no difference between input type=text and input type=password.
in handling the data, once it has been read. In both cases, the data will be sent to the server as unencrypted, unless the entire form data is encrypted.
178
Well, the issue is that the password is displayed in plaintext on the screen. This gives anyone shoulder-surfing the opportunity to see the password. It's typically hidden so people who just happen to stand around cannot see the password being typed in and one can type in a password even with not-so-trusted people nearby.
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
