Im building a simple registration form in PHP. I am wondering if there will be a security issue if I decide to use a simple input field instead of a password input field for the user’s desired password. I’ve seen other sites that don’t use the password input during registration and after some googling I can’t find a conclusive answer either way.
I would prefer to use a normal text field because it would be easier for the user during registration but I am concerned there will be some way for 3rd parties to capture these.
The only difference between an
<input type="password" />and an<input type="text" />is that the password one gets all the characters masked with whatever the browser decides (bullet points/asterisks/whatever).The only point is to ensure that people looking over ones shoulders can’t see the password as it is being typed in.
If the communication to the server is not secure, it makes zero difference whether the field is of type password or not (it makes no difference if the communication is encrypted either, BTW). That is, if the information is sensitive, you should use a secure channel (and the password field doesn’t do anything in this respect).