One Click Login, without seeing the text password


Our view is the “one click login” or “use password without seeing it” gives false expectations of security. There is no such thing as being able to use a password without having the ability to see them.

In practice a user who wants to see the password can replace <input type="password" to <input type="text" in the code to see it, or right click on a page > inspect > go to network tab and see the password being sent as part of the data.

We often hear “yes but my users don’t know this”, but for us it’s not a good enough business case. Of course we may reconsider if there are better arguments that we are missing.

1 Like