In the html of client side. If we change the type="password" into type="text", the password is displayed as plain text in browser. Is there any security issue about this? If it is, what is the solution to this issue?
Example as follows:
type="password"
type="text"
There are two rather different security issues involved.
One of them is the one so often mentioned as a reason for using input type=password
: to protect the user against prying eyes. This is seldom relevant, since passwords are normally typed (and should be typed) so that there is nobody else looking at your screen or your hands.
The other one is different treatment of input type=text
and input type=password
by browsers in their histories and in using previously entered data as defaults or as selectable options. This varies by browser, but quite often, input type=text
causes an automatic prefill if data has previously been entered in a field with the same name. Using the autocomplete=off
attribute usually prevents this in modern browsers. On the other hand, browsers may store username/password pairs to make frequent visits to a site more comfortable; this can be an essential usability improvement and an essential security threat. It is typically based on recognizing a pair of input type=text
and input type=password
.
You could leave the decision to the user by offering both options. Perhaps the least distract way to do that is to have an input type=password
with a checkbox “Show password when typed”, JavaScript-driven of course, which when checked turns type=password
to type=text
.
There is no difference between input type=text
and input type=password
.
in handling the data, once it has been read. In both cases, the data will be sent to the server as unencrypted, unless the entire form data is encrypted.