Advertisements

You might have heard about tricks to view the saved passwords while logging into web pages. Here is the usual scenario. You open up a login page, Chrome automatically fills in the login ID and the password. You, however, want to know what that password is. Chrome hides it behind a series of dots.

Update: As Andre mentioned in comments, the reveal button will be available only for passwords that you enter manually into a form, not for autofill passwords. Thank you Andre!

Advertisements

You can go to the “inspect element” view, change “type” from “password” to “text” to view it. Alternatively, you could go to Chrome Settings and enter see all saved passwords. There are even extensions to reveal saved passwords on websites.

Now, we might get an official “Reveal” button to see the saved password. If I am reading this commit correctly.

Here is the description of this code change:

This change implements the reveal button for .

The button is added using same pattern as the clear/cancel button for

except that instead of using -webkit-appearance to

draw the button, we use svgs defined in controls-refresh.css.

A keydown handler is added to support Alt-F8 hotkey to reveal/obscure

password and logics are added to make sure the reveal button only appears

with direct user input. If the password is not empty in the first place

(ex. autofill or value=xxx) or the control loses focus and regains focus,

or the value is changed by script, the reveal button won’t show.

Note we are using -internal-reveal as the pseudo element id, so there is

no way for authors to customize or hide the reveal button. This might be

changed after a consensus over what id to use is reached, or after the

button gets standardized.

Comments within the code commit go on to talk about how this will work. For example, “if the last character is deleted, the reveal button will be disabled” and “Always obscure password when the reveal button is hidden. (ex. out of focus)”

I am also assuming that there will be a way for developers to hide the Reveal button if they want to. I’m sure web developers working for banks and financial institutions would need that control.

Is This Safe?

I am still not 100% sure that I am reading this code commit and comments correctly. That’s because a part of me thinks this is not a safe option to have. Well, technically people can steal your password from the “inspect element” menu if they want to (if they have access to your computer that is). However, this change (again, if I am reading it correctly) makes it easy for people to view those passwords.

I would love to hear your comments on this. What do you think? Smart move or not?