Search code examples
javascriptpasswords

Should Passwords and Username be visible in request tab of network tab?


I'm working on a login system (the current code refers to changing the password as an example but is relative);

An example of the code using Axios for changing a password;

(please do not comment on the current localStorage code, I am aware of its flaws. this is testing purposes and this question strictly relates to the password)

axios.put(
        'http://localhost:5001/auth/changePassword',
        {
            currentPassword: password.currentPassword,
            newPassword: password.newPassword,
        },
        {
            headers: { accessToken: localStorage.getItem('accessToken') },
        }
    )
    .then((response) => {
        if (response.data.error) {
            alert(response.data.error)
        } else {
            alert(response.data.message)
        }
    })

If I click the request tab I can see the password in plaintext, this is kind of jarring, is there no way somebody unauthorised could see this in a similar fashion?. I have hashing on the server side no problem and auth tokens etc etc. But being able to see the password so plain like this ..... is this actually a problem?

Screenshot of password samples


Solution

  • TL:DR; No, you can't hide it, and No, it's not problematic.*

    Part 1: Devtools and the Network Tab

    Chrome is making those requests, from your device. That much is indisputable, as that's just how the internet works. It makes sense that an end user should be able to see the fields submitted. You could obfuscate the plaintext in some way, but it's not particularly problematic.

    It's unlikely that this presents a significant risk to an end user. As you mentioned in your comment, the devtools window also has to be open to log the request in the first place.

    Part 2: HTTPS - A Quick Summary

    A majority of browsing is done with HTTPS: Hypertext Transfer Protocol (Secure). HTTPS cryptographically secures the entire conversation between your device and the intended server, meaning no man-in-the-middle can read the plaintext of your traffic without some significant trickery (most of which will require some level access to your device first.)

    It's not perfect, of course, but it's almost certainly safe to say that the larger risk is posed by your machine itself - which is easier to compromise, which could give an attacker access to these credentials.


    Note: I'm not an expert, and this is a heavy simplification of the process. I'd suggest doing some reading into the protocols themselves if you want a better understanding of what's going on behind-the-scenes.

    * Except in very specific conditions.