Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[OTHER] Viewing password as user enters data in form #9689

Open
WildRyc opened this issue Oct 31, 2023 · 6 comments
Open

[OTHER] Viewing password as user enters data in form #9689

WildRyc opened this issue Oct 31, 2023 · 6 comments

Comments

@WildRyc
Copy link

WildRyc commented Oct 31, 2023
edited

Is there a standard way of implementing a button to allow users to view the password they have entered into a form? Usually something with a little eye icon?

For example
@wewhite
Copy link
Contributor

wewhite commented Nov 7, 2023
edited

You would have to override the input password type, change to text on click.
I would not recommend, but seems like the norm.

Deleted...do not think this is a good idea.

@sgdowney
Copy link
Contributor

sgdowney commented Nov 7, 2023

This is an interesting read regarding implementing the password reveal functionality.
https://technology.blog.gov.uk/2021/04/19/simple-things-are-complicated-making-a-show-password-option/

Some (most?) browsers support this functionality natively (Edge for example), but can be turned off by the user. This could result in some user friction if they've opted to disable this feature and you provide this functionality. Implementing this functionality when a browser natively supports it may also have some unexpected issues.

@wewhite
Copy link
Contributor

wewhite commented Nov 7, 2023

If its built into browser, that is a good place for it, don't implement your own.
Revealing a password in any form is not secure, depends on use case.

@WildRyc
Copy link
Author

WildRyc commented Nov 8, 2023
edited

NIST documentation recommends otherwise:

In order to assist the claimant in successfully entering a memorized secret, the verifier SHOULD offer an option to display the secret — rather than a series of dots or asterisks — until it is entered. This allows the claimant to verify their entry if they are in a location where their screen is unlikely to be observed. The verifier MAY also permit the user’s device to display individual entered characters for a short time after each character is typed to verify correct entry. This is particularly applicable on mobile devices.

5.1.1.2 - Memorized Secret Verifiers

@sgdowney
Copy link
Contributor

sgdowney commented Nov 8, 2023
edited

That works for sighted users, They can ensure nobody is looking. For screen reader users you have to consider who is within hearing range if the user doesn't have headphones. You would need a technique that would have the screen reader read the characters individually (announcing upper or lower case) rather than trying to read the password as a word. Imagine trying to pronounce Sw0rDPl@y.

@WildRyc
Copy link
Author

WildRyc commented Nov 8, 2023
edited

For screen reader users you have to consider who is within hearing range if the user doesn't have headphones.

This looks to be addressed in the gov.uk article

Lessons:

  • allow assistive technology to understand what the button is for
  • give the user control over whether their password is announced and inform them of the current state

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@WildRyc @sgdowney @wewhite