Keep your password safe!

I’m currently working on a short course on web security. In this course, I’m going to show a couple of common mistakes in websites that create gaping holes. I’d like to give you a small tip in advance, just to make you more aware of what you are doing when you hit that ‘remember my password’ button in your browser.

<!-- raw HTML omitted -->

Although I’m pretty sure your browser itself keeps the password safe, it has to place it in the password field of the login form to be able to submit it. With this small trick you, (and anyone else that might sit behind your pc), can read it again…

When the username is selected and the browser has filled in the ‘ * ‘ in the password box, right click the password box and hit inspect.

In the inspector go to the console and type: $0.value

<!-- raw HTML omitted -->

Et Voila, your password is exposed.

The ‘$0’ refers to the selected element in the inspector. ‘value’ just writes the value property on that to the console. In this case, the password is in there.