DO NOT DO THIS

There, now that we’ve cleared that up, allow me to explain…

What you’re essentially doing is sending this data to the user in the clear. Even if you’re using SSL encryption for the transport, it’s still a big risk. It’s not “rendering in the browser” but that doesn’t matter. It’s still being sent to the browser. And even if in this particular case you don’t run into any issues, it’s a bad habit to build.

You might even ask, “But I’m using md5() so the password is obscured, right?”

Wrong.

The text is obscured, yes. But you’re delivering the obscured version of the text to the client and then keying off of that text. Which means you’re still displaying an effective password for all to see.

If the password is “correcthorsebatterystaple” then you don’t want to display it in plain text because that would give somebody the password, right? (In fact, you don’t even want to store it in plain text. Anywhere. You, as the site admin, don’t even want to know or have any way to find out the text of the password. If you can, someone else can.) Right.

So, instead, you obscure the password as “elughwelfguweliurgnswfglwerlgu” which your code interprets as the password. So you can display that, right? Wrong. Because now, by accepting “elughwelfguweliurgnswfglwerlgu” as the password from the client, you’ve made “elughwelfguweliurgnswfglwerlgu” into the plain text password that your system accepts. So the obscuring of the text does nothing.

In short, never ever deliver a password to anybody in any form. Your application should receive passwords as input, but never produce them as output in any way.