password reveal feature on inputs

7 views
Skip to first unread message

Ojan Vafai

unread,
Jun 27, 2017, 8:12:40 PM6/27/17
to input-dev, Kent Tamura, Monica Dinculescu
https://twitter.com/notwaldorf/status/879563156778921984

Seems like a neat feature and not hard to implement. Should we add it?

TAMURA, Kent

unread,
Jun 27, 2017, 8:39:44 PM6/27/17
to Ojan Vafai, input-dev, Monica Dinculescu
I agree that it's neat.  However page authors and Chrome extensions can add such behavior.  So I'm not sure we should add it to UA.

data:text/html;charset=utf-8,<input type=password value=foo><div onmousedown="document.querySelector('input').type='text'; return false" onmouseup="document.querySelector('input').type='password'" style="display:inline-block; border:1px solid blue;">Reveal</div>


On Wed, Jun 28, 2017 at 9:12 AM, Ojan Vafai <oj...@chromium.org> wrote:
https://twitter.com/notwaldorf/status/879563156778921984

Seems like a neat feature and not hard to implement. Should we add it?



--
TAMURA Kent
Software Engineer, Google


Ojan Vafai

unread,
Jun 27, 2017, 8:42:41 PM6/27/17
to TAMURA, Kent, input-dev, Monica Dinculescu
In general, I agree we shouldn't add too much more complexity to built in form controls. This one seems like something basically every password form field would want though, so seems reasonable to me given that we already have password fields.

Alexandre Elias

unread,
Jun 27, 2017, 10:23:37 PM6/27/17
to Ojan Vafai, TAMURA, Kent, input-dev, Monica Dinculescu
This button looks too small to be touch-friendly, and it's inherently difficult to make a large enough touch target given the constraints of the textbox.  For that reason, I don't think we should add it.

Alexandre Elias

unread,
Jun 27, 2017, 10:34:38 PM6/27/17
to Ojan Vafai, TAMURA, Kent, input-dev, Monica Dinculescu
Secondly, even though I don't think the underlying security concern has merit, if we add such a feature we can expect a lot of negative feedback from all kinds of parties including concerned users, web developers, device OEMs, enterprise customers and so on about how this allows people with physical access to the device to steal their password.  We can explain all day long how such an attacker has many other ways to steal the password already -- many people are unlikely to be satisfied with this response.  As a result, we'd have to respond to a lot of feedback at a minimum, and possibly would feel forced to provide web developer-facing, OEM-facing and enterprise-facing mechanisms to disable the feature.

It would help a lot in these discussions to be able to point to Edge as prior art, but I think there's still a lot of "iceberg" to this issue.
Reply all
Reply to author
Forward
0 new messages