Web Forms and Plaintext Passwords

Web browsers save a lot of information about you.  Even when they aren’t passing it on to a third party, you can save information like passwords, form field entries, your history, and more in the browser.  Here’s what Firefox keeps and Chrome’s autofill information is here.

I sync my data between my devices, using Firefox’s sync.  I do not synchronize passwords, since I use a password manager outside Firefox.  In theory, then, none of my passwords should be accessible to Firefox (or, more to the point, someone who can open my Firefox browser).

Recently, I found some extraneous data in my autofill form information.  I had lost a library card and received a new one, so my old number no longer worked.  But it continued to populate form fields for my library services.  I knew about form history being saved – you can see it autofill – but had never looked at it.  It turns out you need an add-in to do so.  I used Form History Control for Firefox.

When Passwords Are Form Data

I was surprised to find one of my passwords displayed in plaintext (as a normal form field would capture it) when I reviewed my form history.  Since my passwords aren’t otherwise captured, I hadn’t expected it.  It reminded me that, when you visit a Web page, the username and password form fields need to be properly configured so that your browser knows what a password field is.

A form box called "admin_pass" accepted my password as normal form data.  This is how it appears in Form History Control

A form box called “admin_pass” accepted my password as normal form data. This is how it appears in Form History Control

To a Web user, these fields look the same.  But to a Web developer, there is a difference between a normal text field and a password field.  Here are two examples.  Go ahead and type in them and you’ll see the difference:

and

The first is a password box. If you type characters in, they should appear as asterisks. The form field type is password, where the second box, which will display normal text, is a text type box.

To AutoFill or Not to Autofill

If you visit a Web site that creates a login form that does not set the password box to the type password, then your browser won’t know to separate your password from your form data.  It is worth taking a look at what you’ve saved in your browser’s auto-fill form database.  It’s easy to view by anyone who can access your computer, and if there is information that you have inadvertently saved in plaintext that should not be there, it’s just as easy for you to clean it up

I find autofill to be very helpful, cutting down on retyping addresses, e-mail addresses, and other regularly used pieces of unsecure information.  However, a password is a different thing.  The easiest solution is to disable your Web browser’s ability to autofill.

I haven’t checked to see if form-saving add-ons utside the browser also save in the same way, but I don’t see why they wouldn’t.  In my case, I’m going to leave autofill on but I will be checking my form history more regularly now to make sure it’s not storing something I don’t want it to.