How safe is it to use "password" or "text" input?

4

Recently we are in a wave of using the combination of input of passwords with the option to hide / display the password (*** -> abc) with the "eye" technique. I understand this purpose because it greatly improves the UX side of the application.

Iknowthatoneofthereasonsforusingtype="password" would be to hide the password of the "curious" eyes around. But other than that, I wonder if there is any deeper security issue that might involve input and the password itself.

If there is, we should have the user change back input to type password before sending any information.

    
asked by anonymous 09.09.2016 / 13:59

1 answer

6

Zero !

It's just the question, it hides the password when typing and nothing else.

If the computer is infected with something, it will read the password normally. And you have nothing to do about it. I have seen tried (cof banks cof) do things to solve this and are innocuous.

Needless to say that to send is not worth anything either. Only HTTPS solves this issue and solves well, of course if used correctly. Just do not expect HTTPS to resolve all types of attacks.

Remember that everything that goes to the client is out of your control and can be observed and even changed without you knowing, so we say that you can not trust anything that comes from the client: Is using validation via client enough? .

Even using HTTS, you can only trust that the information has not been observed and tampered with on the transport, you can not guarantee that it has not been tampered with before being sent, much less observed.

    
09.09.2016 / 14:04