What is the security of using input "password " or"text"?
Recently we are in a wave of using the combination of input of passwords with the option to hide/display the password (*** -> abc), with the "eye"technique. I understand this purpose as it greatly improves the UX side of the application.
I know that one of the reasons to use type="password" would be to hide the password from the "curious" eyes around. But other than that, I would like to know if there is any deeper security issue that might involve input and the password itself.
Because if there is, we should have the user change back the input to the type password before sending any information.
1 answers
Zero !
Is just what is in the question itself, it hides the password when it is typing and nothing else.
If your computer is infected with something, it will read the password normally. And you have nothing to do about it. I've seen tried (COF COF banks) do things to solve this and are innocuous.
Needless to say, to send it is also worth nothing. Only HTTPS solves this issue and solves it well, of course if used correctly. Just don't expect HTTPS resolves all types of existing attacks.
Remember that everything that goes to the client is out of your control and can be observed and even changed without you knowing, so we say that you can not trust anything that comes from the client: using validation via client is enough?.
Even using HTTS, you can only trust that the information was not observed and tampered with in shipping, cannot guarantee that it was not tampered with before being sent, much less note.