Page MenuHomePhabricator
Create Task
Maniphest T285154

Make it possible to temporarily view the typed masked password
Open, Needs TriagePublic
Actions

Description

ASVS v4.0.2-2.1.12 requires doing this as a "best practice" - https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.2-en.pdf

Verify that the user can choose to either temporarly view the entire masked password, or temporarily view the last typed character on platforms that do not have this as built-in functionality

For example, if I test this in FF, I cannot "view" the password as I'm typing it at all....

Note: The goal of allowing the user to view their password or see the last character temporarily is to improve the usability of credential entry, particularly around the use of longer passwords, passphrases, and password managers. Another reason for including the requirement is to deter or prevent test reports unnecessarily requiring organizations to override built-in platform password field behavior to remove this modern user-friendly security experience.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL