Giters

wet-boew / wet-boew

Web Experience Toolkit (WET): Open source code library for building innovative websites that are accessible, usable, interoperable, mobile-friendly and multilingual. This collaborative open source project is led by the Government of Canada.

Home Page:https://wet-boew.github.io/wet-boew/index-en.html

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[OTHER] Viewing password as user enters data in form

WildRyc opened this issue · comments

commented

Is there a standard way of implementing a button to allow users to view the password they have entered into a form? Usually something with a little eye icon?

For example

commented

You would have to override the input password type, change to text on click.
I would not recommend, but seems like the norm.

Deleted...do not think this is a good idea.

commented

This is an interesting read regarding implementing the password reveal functionality.
https://technology.blog.gov.uk/2021/04/19/simple-things-are-complicated-making-a-show-password-option/

Some (most?) browsers support this functionality natively (Edge for example), but can be turned off by the user. This could result in some user friction if they've opted to disable this feature and you provide this functionality. Implementing this functionality when a browser natively supports it may also have some unexpected issues.

commented

If its built into browser, that is a good place for it, don't implement your own.
Revealing a password in any form is not secure, depends on use case.

commented

NIST documentation recommends otherwise:

In order to assist the claimant in successfully entering a memorized secret, the verifier SHOULD offer an option to display the secret — rather than a series of dots or asterisks — until it is entered. This allows the claimant to verify their entry if they are in a location where their screen is unlikely to be observed. The verifier MAY also permit the user’s device to display individual entered characters for a short time after each character is typed to verify correct entry. This is particularly applicable on mobile devices.

5.1.1.2 - Memorized Secret Verifiers

commented

That works for sighted users, They can ensure nobody is looking. For screen reader users you have to consider who is within hearing range if the user doesn't have headphones. You would need a technique that would have the screen reader read the characters individually (announcing upper or lower case) rather than trying to read the password as a word. Imagine trying to pronounce Sw0rDPl@y.

commented

For screen reader users you have to consider who is within hearing range if the user doesn't have headphones.

This looks to be addressed in the gov.uk article

Lessons:

  • allow assistive technology to understand what the button is for
  • give the user control over whether their password is announced and inform them of the current state