Dispersion Design

< Back

Password Input Fields

2012-04-13

Introduction

This is a pretty basic piece of information, but when creating user interfaces, it is important to make sure that a field where a user enters a password does not display the password back in plain text.

Login screen with unobscured password field

This prevents the user’s password from being seen by an unauthorized person who might be able to view the user’s display.

Hiding Password Input Field Values in HTML

When creating interfaces in HTML, the <input> tag is used to create most input elements. The ’type‘ attribute is used to select the type of input, so a regular text input box would be created with:

<input type="text">

A password input field would then be created by setting the ‘type’ attribute to “password”:

<input type="password">

The type="password" input field creates a text input field, just like type="text" , but the text is obscured when displayed back in the browser:

Login screen with obscured password field

HTTP Method Security Considerations

It is important to point out that setting an input field in HTML to 'password' only hides the contents of the field on the user’s screen. The contents are not encrypted and are sent as plain text to the server.

The next step to adding a little more security is to make sure that the form is not transmitted as a GET request using the method= attribute in the <form> tag:

<!-- BAD! Using the GET method to send passwords -->
<form method="get">
	<input type="password">
</form>


<!-- STILL BAD! GET is the default if no method is specified -->
<form>
	<input type="password">
</form>

The GET method transmits the form data as part of the URL. For example:

Password displayed in URL

This password can then easily be viewed in a variety of ways by unauthorized people, including looking at the user’s browser history or the server web logs.

By setting the HTTP method to POST, the form data is no longer sent as part of the url:

<!-- Better. POST will not display form data in the URL -->
<form method="post">
	<input type="password">
</form>

HTTP vs HTTPS

When using HTTP, form data sent using the POST method is still transmitted as plain, unencrypted text. Although the methods suggested above are important, if you are really concerned about securely transmitting passwords, you need to use HTTPS instead of HTTP. HTTPS encrypts any data sent between browser and server, ensuring that passwords cannot be stolen by any unauthorized listener in-between.