I discovered something interesting today while messing around with the password fields in Google Chrome.
Interestingly, outputting the value of an input of type 'password' to console using console.log(password); totally negates the idea of obscuring the password fields by printing the password in plain text in the console.
var password = $('#password').val();
console.log(password);<script src=".1.1/jquery.min.js"></script>
<input class="form-control text-box single-line input-validation-valid" id="password" name="password" type="password" value="test">I discovered something interesting today while messing around with the password fields in Google Chrome.
Interestingly, outputting the value of an input of type 'password' to console using console.log(password); totally negates the idea of obscuring the password fields by printing the password in plain text in the console.
var password = $('#password').val();
console.log(password);<script src="https://ajax.googleapis./ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<input class="form-control text-box single-line input-validation-valid" id="password" name="password" type="password" value="test">Would this cause any security issues at all?
Share Improve this question asked Dec 11, 2017 at 16:34 Master YodaMaster Yoda 4,42212 gold badges45 silver badges81 bronze badges 9- 1 Reading the source code would tell you that with no JavaScript.... That is why you DO NOT set password values. – epascarello Commented Dec 11, 2017 at 16:38
- 3 if you don't have any people around you watching your dev console, this shouldn't be a security issue. – David Commented Dec 11, 2017 at 16:38
- 1 In my opinion that isn't a problem. Password fields hide passwords for real people behind your back. The browser needs the value to submit it and that's why you can log the value. – Flocke Commented Dec 11, 2017 at 16:38
- 3 A security issue is that it is trivial for an extension to read a password on any page that it has access to. So be really careful with what extensions you install in your browser. – Karl Reid Commented Dec 11, 2017 at 16:41
- 1 chromium.googlesource./chromium/src/+/master/docs/security/… – Josh Lee Commented Dec 11, 2017 at 18:18
1 Answer
Reset to default 5The value of all textual input controls is the text that was typed in it, irrelevant if it is a password input or not. The only difference that type="password" makes is that it obscures the text in the web view.
You can even call up the Dev Tools to inspect a password textbox, change type="password" to type="text" and BAM you suddenly see the plain text that you typed.