Why Masked Passwords Are a Serious Security Hole

Time after time, there are users that ask for the possibility to share “masked passwords” with other people. What is a “masked password”? It is something that you share with another user in a way that allows him to use it (for example for autologin) without actually seeing the password itself.

When I respond that this isn’t possible to implement in a secure way, and that I don’t want to open a security hole in the Passpack experience, people have pointed out to me that other software offers this feature. Unfortunately, several users have left Passpack for this missing “feature”. So I’d like to explore the matter further with you.

Look At How Easy It Is

You probably are not a Javascript expert. And you probably think that it is necessary to be a Javascript ninja to intercept a “masked password”. However, that isn’t so. Look at the following code:

var Jq;
(function () {
  var D = document,
  h = D.getElementsByTagName('head')[0] || D.documentElement,
  s = D.createElement('script');
  s.src = 'http://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min.js';
  function run() {
    if (typeof jQuery != 'undefined') {
      Jq = jQuery.noConflict(true);
      Jq('input:password').change(function () {
    else setTimeout(run, 50);
  setTimeout(run, 50);

Even if you don’t understand what’s written there, you’ll notice that it’s short. This bookmarklet code loads a standard Javascript framework (in this case jQuery) and runs the red code that “watches” every password field. When the content of a password field changes, this code will cause the browser to show you an alert revealing the password in the field.

Now imagine that you had shared a “masked password” with a co-worker. You may feel safe because you believe that since he cannot read your password, then he can not access it. This false sense of security would likely lead you to ignore the best practices while sharing — ex. changing the password everytime that you remove someone from sharing. In other words, you would probably continue to use your no-longer-safe password.

Without knowing any programming language, your co-worker could load a login page, run a simple Javascript code like the one above, click the button that starts the autofill… et voilà, he’d know your top-secret “masked password”.

Do You Want To Try?

Drag the following link (containing the code above) on the button bar of your browser:

Afterwards, go on every site that you want and try for yourself how is easy to capture your passwords. Alas, you can also verify that it works with all the popular password managers, regarldless of whether or not they use password masking.

What About If There’s No Javascript Enabled?

Imagine that there is a super-magical-auto-filler that deactivates Javascript before filling the password field. Would this make you safe? No, because your “masked passwords” can be captured even without using Javascript.

How? Here’s an example for which you would need more than a few lines of code, and would need to be a little more creative. You could install a web server like XAMPP on your computer and create a catch-all index file that prints everything it receives. This would require just one line of PHP:



  • You connect to the website that you want the password for, for example Google
  • You edit your local hosts file and assign google.com to your local IP
  • Click the autofill button to login to Google
  • When the browser complains that the certificate is wrong, click “ignore it and continue”

As you can guess, the next page will print the content of the form that should have been received by Google, but was instead intercepted and printed to your screen. Once again, the masked password has been revealed.


There are plenty of other techniques that a person could use to capture a password field from within his browser. The real take away here is that you understand it is not possible to truly mask a password that transits in the browser of a user. So, please, don’t tempt fate. Change your password everytime it is necessary, especially after having removed someone from sharing it.






  1. Plain and simple! Thank you! :)

    I love PassPack every day more (and I should really buy a premium account, I almost reached my 100 limit!!). ;)

  2. Francesco

    The only case where a masked password is useful is in order to limit the risk of phishing.

    Imagine that you share a password with a person that you consider not so smart. If he can not copy the password he can not paste it in a phishing site. Since he can only use the autologin functionality, and the autologin doesn’t recognize the site, you are safe.

    I have to admit that I was doubtful about the possibility to introduce masked passwords only with this scope. But I talked with a lot of users and I understood that the risk that users would misunderstand its scope is high. So, for now I abandoned the idea.

  3. Francesco

    @Lorenzo, if you need only a few more entries, wait. We are preparing a new viral way to boost your account for free :)

  4. BINIT

    Hey, I was thinking why you guys are not introducing the masked password feature. But, after reading your blog it was really nice to know that Passpack.com is concerned about its user’s security in each step!!

    Thank you very much for your advice. I will share the blog’s link with my friends, as its a very useful fact about the password masking.

    Thanks again for keeping datas safe n secure :)

  5. Rod

    Yet another reason to love Passpack. Nice work.

  6. Ok, I’ll wait for your viral promotion than (I’ll spam it as much as I can! :P).

  7. Christian Sciberras

    I don’t quite understand how/why would anyone think of hiding something from plain view as being secure. Just because you keep your money under your bed doesn’t make it safer from a bank account. Quite the contrary in fact.

    With regards to what is mentioned above, I not only agree with Francesco, but I’d say anyone that suggested this crap is an outright idiot.

    Masked passwords don’t exist. They simply hide text from plain view, in fact, it’s your password that is there, and it can’t be hidden no matter what.

  8. austin

    if you have netcat you cna just listen on a certain port and set a proxy in your browser to use localhost:that port and the http request, presumably with your pass, will be shown.
    also if you have firebug in firefox.

    ive never heard of masked passwords but i certainly would NOT support such a silly idea.

  9. joequincy

    Password fields are just masked text fields. Change the Type attribute to text, and you’ve got yourself a readable password field.

    I wrote a Greasemonkey script ( http://userscripts.org/scripts/show/71825 ) quite some time ago that added a button to toggle just that after every password field. It’s totally inelegant, but it does the work quickly and easily enough. I absolutely agree with you; passwords masking is a security flaw because it induces a sense that it is secure, and thus promotes insecure practices.

  10. Andre P.

    I went to facebook.com with IE9, entered a few characters into the username and password fields, then hit F12 to get into the developer tools. I found the DOM node for the password field:

    I was able to change the ‘type’ attribute to “text” and the DOM type was changed immediately, revealing the password. Nothing to install, nothing to copy and paste.

  11. Andre P.

    I just tried the same technique on a bank site (note: with “https” this time) and while changing the ‘type’ attribute didn’t work, I noticed that the input value was revealed with the “value” attribute. Even easier!

  12. Chris

    It’s only to stop those who are peering over your shoulder (who also can’t read your fingers as they type on the keyboard…)

  13. Francesco

    @Chris, maybe there is a misunderstanding. What you are talking about is different from the subject of this post. Specifically, masking password fields against shoulder surfing makes sense (Passpack adopts this approach with passwords and notes). This post is about something else.

  14. Nice post. I wasn’t really aware of PassPack, but it looks like a very nice piece of software. I think I’m going to sign up for an individual account!

  15. Fabio

    If the masking is implemented in a safe way, the control won’t have the actual password, it will be stored somewhere else and the masked password will be just ‘*’ characters.

  16. Francesco

    @Fabio, it is correct to scramble a password field to protect it from “bad eyes”. Passpack does this in the entry popup. But this is a different thing.

Trackbacks for this post

  1. Why Masked Passwords Are a Serious Security Hole

Leave a Reply