3

I've recently discover that if you use inspect element to see the source code of the Html, you can change this <input type="password"/> to <input type="text"/> then you can see the password revealed, So, how can I avoid that in angularJS? or pure Javascript?

Any dark in the light will be appreciated.

napstercake
  • 195
  • 1
  • 1
  • 4
  • 33
    Can you please describe the attack you are trying to prevent? Are you worried that I will type in my password, then I will make the change you suggested so that other people can see my password? :D – TTT Jan 28 '16 at 17:01
  • 38
    Am I the only one that's confused by this question? Are we talking about the situation when a user enters a password, then someone physically attacks them and rips them off of their chair before they press enter, then fiddles with the page source so they can see the password that was entered in? I feel like I'm taking crazy pills! – TTT Jan 28 '16 at 17:21
  • 1
    You are absolutley right @TTT i'm totally agree with you, the thing is that is part of a requirement in my project, kind of part of the contract. – napstercake Jan 28 '16 at 17:22
  • 5
    @TTT This could be a scenario that takes place like in this [question I just asked](http://security.stackexchange.com/questions/112012/are-partially-typed-passwords-a-potential-security-risk) where a user types in their password then leaves for whatever reason leaving the typed password in the box. – DasBeasto Jan 28 '16 at 17:33
  • 6
    @DasBeasto - that is not something I would worry about. The user would have to type in their password, not press enter, leave their workstation unlocked, walk away, and this has to be on a shared computer or in a public setting. If you're worried about that, you should also worry that the user will write their password on a piece of paper and leave it next to the keyboard, and you should be **much** more concerned about someone installing a keylogger on the machine. – TTT Jan 28 '16 at 17:40
  • @TTT true, definitely not a common thing and not something you should/can write code to prevent from happening. – DasBeasto Jan 28 '16 at 17:42
  • 17
    This is basically a case of 'if an attacker has access to your machine, its not your machine anymore'. Similar statements are true even on the server side. – David says Reinstate Monica Jan 28 '16 at 17:48
  • @DavidGrinberg - Well stated. I'll extrapolate: the question asks how can this be avoided? The answer is: you shouldn't even bother trying to avoid it. – TTT Jan 28 '16 at 17:58
  • 2
    Browsers are implementing a button to add this feature so a user can unmask a password field (I first saw it in IE, I think it's starting to show up in other browsers), which accomplishes this same thing without using code. AFAIK you won't be able to prevent this unless you have control of the clients, and even then I don't know if it can be diabled. – Tim Jan 28 '16 at 18:06
  • 2
    There are browser extensions that will display your password. For example, [ShowPassword](https://chrome.google.com/webstore/detail/showpassword/bbiclfnbhommljbjcoelobnnnibemabl) for Chrome. There are similar Firefox extensions. There's no way that you can avoid this. – Neil Smithline Jan 28 '16 at 21:49
  • @TTT you're missing a case that many applications have (like *Github*) when there are actions that involve important decisions like, changing ownership or confirm deleting an account; in those cases apps may ask the authorized user to confirm type their password and perform the action only if the password is valid. Imagine now that I'm at my work with *someone* next to me and I need to leave my desk for a situation (*toilet?*), then that individual could grab the change and navigate to a route that seeks for a password confirmation and can even perform the task and/or reveal a saved password. – Christos Lytras Jun 04 '21 at 13:52
  • @ChristosLytras but there is no saved password. This question is about typing in the password in a field that displays it as asterisks while you type, and then opening a developer tab and fiddling with the html so that you can see the password instead of it displaying asterisks. The person sitting next to you would have to convince you to type in your password and not press enter, and then walk away. – TTT Jun 04 '21 at 16:55
  • @TTT actually there is no discrimination or any kind of statement that even implies that this question is **only** for *non auto-filled/saved* passwords; this O/P is regarding about **the** *password*, not the *typed* and/or *auto-filled* password. If you still disagree then please point out where this question becodes explicit related to *non-saved* passwords. – Christos Lytras Jun 04 '21 at 19:15
  • @ChristosLytras how (and why!) would some saved password that isn't typed in get into the rendered HTML to the client? BTW, OP agreed with my interpretation in the comments from 2016. :) (And so do all of the answers, I think.) – TTT Jun 04 '21 at 19:35
  • @TTT I pointed out how and why that may happen on my first comment and again, through routes that require users to confirm passwords; one such route is when a user requests to delete their account, or when you perform some important ownership actions. For example, if I sit on your computer and navigate to [Github / Account security](https://github.com/settings/security) I can get your password to auto-fill if I click on the *"Old password"* field ([screenshot](https://prnt.sc/1427oa6)]. Also, I don't care who agrees, I just wanted you to understand some situations that are likely to happen. – Christos Lytras Jun 04 '21 at 19:58
  • @ChristosLytras Isn't that just your browser filling in the pw from it's pw manager? (I don't think GitHub *could* put your password there even if it wanted to.) – TTT Jun 04 '21 at 20:36
  • @TTT this is not about a specific application like Github, of course it's the browser that does that (*and I didn't mention anywhere that it's the Github that is doing the password auto-filling BTW*) and the user that will sit on your computer they will have your browser in-front of them; the application can be anything, Github is just an example for to demonstrate this case. What's your point in mentioning that it's the browser that does the auto-filling anyway? (*Something that I assume most of the people here will already know*) – Christos Lytras Jun 04 '21 at 21:30
  • @ChristosLytras it's because you started the conversation by talking about "important decisions" and "confirming passwords", but that isn't really relevant, I think? In hindsight, it would have been much simpler if you said, "Another scenario is if you leave your machine unlocked, and you have a password manager in your browser, someone could navigate to a website's login, let your browser autofill the pw, and then they could open developer tools, change the field type and they then know your password." To which I would have responded: "Absolutely! Good point!" (And that is a good point, btw.) – TTT Jun 04 '21 at 21:40
  • @TTT you are describing almost a same scenario with my example except that my basic point is about when an aplication requests for users password even after login. I mentioned Github as an example to understand precisely for what I'm talking about. I have to state **WHY** an application may request a user to give their password **even after a user has been logged in**. I'm glad you finally get to understand of what *attack/situation we may try to prevent* here and you agree. BTW, I won't wait any longer for you to point me our where this O/P is **explicit regarding non auto-filled passwords**. – Christos Lytras Jun 05 '21 at 08:26
  • @ChristosLytras I'm sorry I just don't understand what you mean. If the attack vector is someone using your pw manager to auto-fill passwords when you're not at your unlocked machine (and then inspected), then why does it matter if you're already logged into a website or not? The threat is the same either way. – TTT Jun 05 '21 at 11:28
  • @TTT IMO it's much more insecure when users are already logged in and maybe have a sense that their saved passwords are only likely to auto-fill at the login screen; technically **there can be a difference** that in the case of a password confirmation, an application may require the user to **type OR paste** their passwords and **never accept** auto-filled passwords, but such deep analysis is beyond the score of this Q/A. Also I'd like to add that such attackers may know how to change the `type` from `password` to `text` but that doesn't mean they have the knowledge to reveal *state* variables – Christos Lytras Jun 05 '21 at 11:51

8 Answers8

32

This sounds like a bad case of Security Theater

Security theater is the practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to actually achieve it.

I say this because in all reality...

Given enough time, effort, and computing power security is nothing more than a delay.

Of course it gets worse than that. Javascript is an computer based language, which means it must be run by a machine. That machine can be told to ignore your Javascript.


What this really means though is that you're asking the wrong question. What you're really asking:

How do you keep your forms safe from someone using saved passwords to fill out the form, and then changing the type of the form to read it?

And to this answer it's pretty simple:
Keep your terminal safe and secure. The only way to prevent this kind of attack is to not let an attacker on a system with a saved password in the first place.

Why? Because you have a "spectrum". Let's call it the security spectrum in this simplified example:
At the basis of simple security you have the following:

Security >----------------------------------------------< Ease of Use

In most cases this is what happens:
The more Security you have, the less Ease of Use you have.
The more Ease of Use you have, the less Security you have.

By using a form that has a password in it and leaving it there, you are increasing your Ease of Use and decreasing your Security

Robert Mennell
  • 6,968
  • 1
  • 13
  • 38
  • 17
    Pedantry: it's not _just_ a spectrum. Some people decrease ease of use without doing anything to increase security. In other cases, you can increase security without decreasing ease of use. – Michael Jan 28 '16 at 18:39
  • 3
    Javascript being interpreted has nothing to do with the problem. Even if it were compiled (which it frequently is), the browser could still ignore and not run it. – user2357112 Jan 28 '16 at 18:47
  • 3
    @Michael this was a simplified example, so I'll clarify that. – Robert Mennell Jan 28 '16 at 19:37
  • Now I am wondering what is the point of asking for system password when opening Chrome's manage password. Attacker can easily know the password from the auto-populated fields. Only benefit is he won't be able to list down the saved passwords at one go. – aaa Jan 29 '16 at 00:44
  • @aaa that is kind of the idea. If you have left your information in an area where someone can get access to the debugger you have used your computer in an unsafe location in a bad way, which is already a breach of security – Robert Mennell Apr 04 '16 at 20:20
10

There is no way to prevent an attacker doing this if they are already accessing the developer tools - they can simply pause the javascript and continue what they are doing. The best you may be able to do is clear the password box after a small amount of inactivity.

William Dunne
  • 316
  • 1
  • 10
  • 2
    Note that clearing the password field with Javascript may not work against `CTRL+Z`. – Mark Buffalo Jan 28 '16 at 16:59
  • 11
    No way to prevent an attacker from doing what exactly? Looking at their own password? – TTT Jan 28 '16 at 17:17
  • 1
    I assumed he is worrying about people leaving their login details on the screen while they make a Coffee, and an attacker using the vector he described to see it – William Dunne Jan 28 '16 at 18:26
  • @WilliamDunne - yep. I probably could have deleted my comment here after we clarified it up above. – TTT Jan 28 '16 at 18:52
  • I'll add to thiscomment that if i have access to developer tool i can see every request sent by the browser with their data non-encrypted (even if HTTPS) so i'll be able to see the password there too. – Walfrat Jan 29 '16 at 11:07
5

The bottom line is that you can't, but this is not as much of an issue as one might think.

The thing to keep in mind is that when you change the source in a browser's debugger (which is what you're describing), it doesn't get saved anywhere. This means that the change only affects the machine the debugger is running on. I can't change the password field to 'text' on everyone's machine, just mine. It also means that the change only takes effect until the next time the page is loaded, so even if I set it up once, I can't turn a machine into a password-collecting robot by doing this.

Another thing to keep in mind is that scripts don't have to change the password field's type to get at its value. They can get it through plain old scripting, and there are very real advantages to doing it that way. The biggest is that since you don't change the field's type, the user doesn't see anything unusual, so users aren't tipped off that something could be wrong.

Now, all of this said, you do have to be wary of cross-site scripting attacks, which can do the sorts of things you mention (though they still don't have to change the field's type to get its value). There are already a number of best practices to avoid XSS attacks, and the common XSS filter evasion methods are well known, so you can test against them too. None of these will stop the debugger trick, but as I outlined above, the debugger trick doesn't need to be stopped: XSS does.

The bottom line is that you don't need to be alarmed about the browser debugger. There are related attacks that you should be worried about, but they're well-studied, and none of them involve the browser debugger.

The Spooniest
  • 1,637
  • 9
  • 10
3

You can not do this because all things are happening on the client side and he has almost full access to your code (html, css, javascript) using developer tools. So, he can pause or stop javascript.

Ohnana
  • 4,737
  • 2
  • 23
  • 39
3

If you're really worried about this, you could do away with passwords entirely in your application. Have the user enter their username or email and send them an email with a temporary login link.

Sam
  • 131
  • 3
  • If someone has access to scrape password data from your forms, they likely have access to your cookies too: Once someone clicks the temporary login link, they could steal your session cookie and use that to login instead. – Rohaq Jan 29 '16 at 15:38
  • Sure, but the user may not be logged into their email on the same computer and it prevents the potential to expose a password which the user may use on other sites. If someone has access to your email they can already easily reset your password on most sites. In reality, the whole scenario is a bit ridiculous and there's not much you can do as a developer, as other answers have stated. – Sam Jan 29 '16 at 15:47
2

You can't. The form needs to be able to send the password to the server for validation. Even if you develop some kind of obfuscation technique (not recommended) then, like William Dunne said, you can simply pause/stop Javascript.

You are trying to achieve security through obscurity, and it won't work.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
  • You assume that every people that can right click and inspect an input element and change its `type` from `password` to `text` are cappable of debuging javascript using **proper** breakpoints and event listener hooks? I believe such an assumption is far from reality. – Christos Lytras Jun 07 '21 at 08:17
0

You might be able to use divs and other elements to make your own text field, kinda like the text fields on google forms. If you did this, you could set it up so that as the user types, it just modifies the content of a encrypted JavaScript variable, and does not actually type in the text field.

-2

In Javascript, for already saved passwords, a way could be:

on load:

  1. save the value of the input in a variable
  2. replace the value the input with a random sting with the same length

on login click:

  1. replace the random value with the value that you saved in the variabe
  2. submit the form

Remeber that:

Someone can anyway read the password from the variable through javascript
for example:
console.log( passwordVAR );

Zalk358
  • 11
  • 7
    This is theatrics and obfustication, not security. This will reduce security for users, not increase it. – Caleb Jan 28 '16 at 22:20
  • @Caleb I know it's been a while since this Q/A, but I'd like to know how a method like this can reduce security; can you please provide a brief explanation on why an obfustication like this reduces security? – Christos Lytras Jun 07 '21 at 08:11
  • @ChristosLytras First, it introduces *more* attack surface. If you are coding things up this way clearly you don't understand what you are messing with, so any code you write is going to add exposure, not reduce it. Second you loose some of the browser's built in security measures. Third you create an illusion of security without the real thing: like a smoke screen used to deflect cannon fire. The canon will still blow you to pieces if you aren't in the trench or behind a real barricade, but because you can't see it pointed at you you feel safer standing up and walking around. – Caleb Jun 10 '21 at 08:35
  • @Caleb thank you for your reply. IMO all of your points are valid for developers and/or hackers that know how to debug an application and dive deep into memory state (*from OS debugging with ASM, to browsers debugging with debug console*), but not everybody that knows how to change an input field type from `password` to `text` has the knowledge to debug an application. The hacker will have the password either way by digging into the state variables but not everybody is a hacker. Anyway, I would like to have an extended discussion regarding this subject but we can't do it here. Thanks again. – Christos Lytras Jun 10 '21 at 10:15
  • @ChristosLytras The panel that shows Javascript values is literally right in the same place one would need to go to fiddle with the page source, and in some browsers it is better organized; and again you would be side stepping the default browser protections it uses to mitigate risks posed by password fields. Frankly, I'm not interested in having an extended discussion having to defend why obscurity and theatrics is bad security—the topic is covered at length in many places. – Caleb Jun 10 '21 at 16:52
  • @Caleb again I have to **pause** the debbuger or search and find the event listener of the *Submit* button and add a breakpoint to it and hit it and even then, I'll need to be prepared of what type of state I'm going to deal with (*react internal, redux, angular, vue, etc.*); all of that requires time which a **physical** attacker may not have even if they know all about these. So, you're missing my point of **how many people are capable of doing all of these stuff** and the topic is complicated so to address it as **covered**. Browser input `password` type may also be considered as theatrics. – Christos Lytras Jun 10 '21 at 17:18
  • @ChristosLytras I think you've lost the plot. If you have a password field and the browser has remembered credentials or the user has entered them and you have a physical attacker with control of the browser **you have lost the game**. If they can rewrite the DOM they can also sidestep your theatrics. You keep thinking nefarious actors play by your rules. If you have a better proposition post your own answer and get your own feedback. Or write your own browser. – Caleb Jun 10 '21 at 18:54
  • A situation: I’m at my office with a *individual* and I suddenly need to leave my desk and get out of the office (*going to toilet, an important call, etc.*) and I don’t lock my computer. The person inside my office can sit on my computer, navigate to a URL that requires my password and they auto-fill it of my saved passwords (*for productivity*). Now they have seconds to reveal that password and they right-click on the input and change type `password` to `text` and *boom*, they get a picture with their phone and close the browser tab. In a case of an obfuscated password, *they won’t have it*. – Christos Lytras Jun 10 '21 at 19:11