Does the HTML Password Input Type provide security benefits?
I have a project at work where we have multiple forms that have the user input passwords. These forms also have validation and other functions that need to re-render the same view after sending requests to the controller to complete tasks. For example, one of these forms is for collecting server connection info and the user can test the connection before submitting that host to the database.
?
Since the form is being submitted, to have access to the data needed to test the server connection, the input fields need to be repopulated upon re-rendering the view with the connection results. We populate the view so that the user can still submit the data to the database without having to fill out all the fields again.
?
However, in our tech stack (ASP.NET MVC) the password field can’t be populated with model data when the view is re-rendered. To get around this, another engineer on my team implemented a fix that makes the password field as a text input in the HTML and then dynamically changes the field’s type attribute to “password” after the view is rendered.
?
领英推荐
While this approach works, and you can’t even see the password as the switch happens on page load, it did have me wondering if we were losing any security benefits from having the potential password in a text input for any length of time. To find out, I did a little research into what the password input type actually does. Does it provide notable protection benefits that we were missing out on? Was the user’s data unsafe?
?
Well, turns out the user’s data is pretty much just as safe with our dynamic input type-changing solution as it would be with a constant password type, or even with a plain text input type for that matter. The main benefit that the password input type provides is that it hides the password from anyone around the user who could see what they’re typing. The functionality of password inputs also varies from browser to browser. For instance, Edge adds a button to show the password, while Chrome just hides the password with no other functionality.
?
There isn’t any protection of the password going on when you use the password type. The data that the user entered is still accessible within the DOM and more security precautions would be needed to make it secure. We don't rely solely on the password input type to secure our data, but it's still nice to know the limitations!