Protecting against input type ="password" changes? [closed]

Question

Closed. This question needs details or clarity. It is not currently accepting answers.

Want to improve this question? As written, this question is lacking some of the information it needs to be answered. If the author adds details in comments, consider editing them into the question. Once there's sufficient detail to answer, vote to reopen the question.

Closed 7 years ago.

Improve this question

Are there any protections against users using Chrome Developer Tools to right click on a password input field, and then change input type="pass" to "text" to reveal the password?

There are probably JavaScript ways but once again that is extremely easy to disable.

Any improvement is better than what we have now, as the trick is too commonly known.

Why does it matter? You should only be using password inputs for input, so anything in there is what the user typed. If you're using them to conceal passwords that you're returning from the server, you've got bigger problems... — Matthew
– Matthew, Commented Jun 1, 2018 at 9:26
"Any improvement is better than what we have now" why does it need to be improved? What's "broken"? What's the threat? — schroeder
– schroeder ♦, Commented Jun 1, 2018 at 9:32
In fact, you should worry that if your site is hack and injected with a script that will send password,credit info back to attacker C&C. Developer tools is the last thing you should pay attention to . — mootmoot
– mootmoot, Commented Jun 1, 2018 at 11:16
This question could be improved by clarifying what risks you think are presented by a user being able to change the form type. — Monica Apologists Get Out
– Monica Apologists Get Out, Commented Jun 1, 2018 at 17:08
As stated, this is not a security question because there is no threat or risk involved, and after queries, the OP is not offering what those threats or risks are. As stated, this is just a web programming question. — schroeder
– schroeder ♦, Commented Jun 2, 2018 at 17:21

Benoit Esnard · Accepted Answer · 2018-06-01 10:00:26Z

Well, you can do it using the MutationObserver API.

const inputPasswordElements = document.querySelectorAll('input[type=password]');
const observer = new MutationObserver(function (mutations) {
    mutations.forEach(function (mutation) {
        if (mutation.type === 'attributes' && mutation.attributeName === 'type') {
            mutation.target.value = '';
        }
    });
});
Array.from(inputPasswordElements).forEach(function (input) {
    observer.observe(input, {attributes: true});
});

This will remove the password if the input type is changed. Demo available here.

But why would you do that? The user can read the password in the source anyway, so that won't prevent him to do so.

Also, please note that allowing the user to see his password in a clear-text format is quite common now, to allow him to check for typos before submitting a form. If your website doesn't allow this option, it's very likely that users will check in the source themselves.

Do not be hostile with your users, please. Help them instead.

Stack Exchange Network

Protecting against input type ="password" changes? [closed]

1 Answer 1

Hot Network Questions

Protecting against input type ="password" changes? [closed]

1 Answer 1

Related

Hot Network Questions