I have test it and work very well, and its a very nice idea.
The only think I like to notice is that you can check if the password is allready there by the browser, and if it is do not show the button, because then its easy for some tried person to see it in a second.
So add this line if(input.value == “”) to not show anything if the password exist there from the browser.
Copy & paste the code below to embed this comment.
olaim
@Aristos: To disable the `Show password’-button if the browser pre-fills it for you, is a good idea. But it still means that a person sitting next to you could see the password you have just typed into that field, if he is quick (and a not so good friend).
What I proposed in my former post will prevent this from happening:
1. When the user checks the `Show password’ box, a new, empty text field is created, and the original password field is hidden behind the new field.
Then no one will ever see what anyone (else) has written in the password field.
The idea of having clear text passwords may be alright if I’m working on my home pc but if that was the web standard then User accounts would be getting hacked left,right and centre.
The idea to toggle between the two is okay but involves more code and maybe over complicates the login process however admittedly I have used the feature on my router before.
Personally I think a less secure easy to remember password is better than having only a clear text password input field, but I would personally always recommend using strong passwords and having them hidden from view.
Copy & paste the code below to embed this comment.
bloritsch
Any time you use JavaScript to access and store passwords, you are demonstrating what any advertiser can do on your site. Truly, the only reason why the user name/password combination is in prevalent use today is because it is easy to implement. Other options that are arguably more secure such as PKI (caveats with that as well) and biometrics are notoriously difficult to do on the web.
I like the concept of OpenID, which provides some creative ways around the whole user name/password concept. For example, the people at “My OpenID” (myopenid.com) provide an option to generate a key that is specific to your browser. As long as your browser has that key and you have the password to that key you can get into any website that supports the OpenID protocol. Of course, this presents problems with internet cafes.
The real solution is to find something other than arcane passwords to protect access to the site, that still gives both the web site and the user a high confidence level. A real solution will also address site spoofing (phishing attempts) which is a real problem.
Any solution that allows access to what I typed through JavaScript demonstrates just how easy it is to steal credentials. To all web designers: do not allow advertising on any page that takes in passwords. It is too easy to accidentally include malicious ads, and even in HTML 5 there is no appropriate sand-boxing of content that originates from other servers.
There are obvious usability issues with not being able to see the password you are typing. There are also times where it would be more practical to just see a password in an admin panel rather than have to reset it. There’s no rational reason why a person signing into their “A List Apart” account from their own office shouldn’t be able to see the password as they are typing it.
Regardless of this, making this information visible might draw complaints from users because it is different from their expectations. There are also many times when the highest level of security is critical.
Having a “View your password as you type” link is a no-brainer for non-senisitive logins. It allows the user to judge whether they feel secure in their environment. Additionally, a popup layer could provide additional instructions “Use this if you are in a private location.”
Taking responsibility for this, improves the success of the site. So why leave it to the browser or os. Most users will not know how to use these features anyway.
46 Reader Comments
Back to the ArticleAristos
I have test it and work very well, and its a very nice idea.
The only think I like to notice is that you can check if the password is allready there by the browser, and if it is do not show the button, because then its easy for some tried person to see it in a second.
So add this line if(input.value == “”) to not show anything if the password exist there from the browser.
if(input.type ‘password’) {
if(input.value “”)
{
olaim
@Aristos: To disable the `Show password’-button if the browser pre-fills it for you, is a good idea. But it still means that a person sitting next to you could see the password you have just typed into that field, if he is quick (and a not so good friend).
What I proposed in my former post will prevent this from happening:
Then no one will ever see what anyone (else) has written in the password field.
WebDesignMidlands
The idea of having clear text passwords may be alright if I’m working on my home pc but if that was the web standard then User accounts would be getting hacked left,right and centre.
The idea to toggle between the two is okay but involves more code and maybe over complicates the login process however admittedly I have used the feature on my router before.
Personally I think a less secure easy to remember password is better than having only a clear text password input field, but I would personally always recommend using strong passwords and having them hidden from view.
bloritsch
Any time you use JavaScript to access and store passwords, you are demonstrating what any advertiser can do on your site. Truly, the only reason why the user name/password combination is in prevalent use today is because it is easy to implement. Other options that are arguably more secure such as PKI (caveats with that as well) and biometrics are notoriously difficult to do on the web.
I like the concept of OpenID, which provides some creative ways around the whole user name/password concept. For example, the people at “My OpenID” (myopenid.com) provide an option to generate a key that is specific to your browser. As long as your browser has that key and you have the password to that key you can get into any website that supports the OpenID protocol. Of course, this presents problems with internet cafes.
The real solution is to find something other than arcane passwords to protect access to the site, that still gives both the web site and the user a high confidence level. A real solution will also address site spoofing (phishing attempts) which is a real problem.
Any solution that allows access to what I typed through JavaScript demonstrates just how easy it is to steal credentials. To all web designers: do not allow advertising on any page that takes in passwords. It is too easy to accidentally include malicious ads, and even in HTML 5 there is no appropriate sand-boxing of content that originates from other servers.
Michael Levy
There are obvious usability issues with not being able to see the password you are typing. There are also times where it would be more practical to just see a password in an admin panel rather than have to reset it. There’s no rational reason why a person signing into their “A List Apart” account from their own office shouldn’t be able to see the password as they are typing it.
Regardless of this, making this information visible might draw complaints from users because it is different from their expectations. There are also many times when the highest level of security is critical.
Having a “View your password as you type” link is a no-brainer for non-senisitive logins. It allows the user to judge whether they feel secure in their environment. Additionally, a popup layer could provide additional instructions “Use this if you are in a private location.”
Taking responsibility for this, improves the success of the site. So why leave it to the browser or os. Most users will not know how to use these features anyway.
lsoares
function togglePassword(elementId, showText) {
var newPasswordField = $(elementId).clone(true);
$(newPasswordField).attr(‘type’ , showText ? ‘text’ : ‘password’);
$(elementId).replaceWith(newPasswordField);
}