Occasionally we are asked about adding a feature allowing the sharing of passwords with other people without them actually seeing the password itself.
Other password managers offer this feature, however we do not because it is not really possible and we feel offering the feature gives a false sense of security.
How to bypass a masked password.
You probably are not an expert in Javascript. And you probably think that it is necessary to be a Javascript ninja to intercept a “masked password”. However, that isn’t so. Look at the following code:
var Jq; (function () { var D = document, h = D.getElementsByTagName('head')[0] || D.documentElement, s = D.createElement('script'); s.src = 'http://ajax.googleapis.com/ajax/libs/jquery/1.5.2/jquery.min.js'; h.appendChild(s); function run() { if (typeof jQuery != 'undefined') { Jq = jQuery.noConflict(true); Jq('input:password').change(function () { alert(Jq(this).val()); }); alert('Ready.'); } else setTimeout(run, 50); } setTimeout(run, 50); })();
Even if you don’t understand what’s written there, you’ll notice that it’s short. This bookmarklet code loads a standard Javascript framework (in this case jQuery) and runs code that “watches” every password field. When the content of a password field changes, this code will cause the browser to show you an alert revealing the password in the field.
Now imagine that you had shared a “masked password” with a co-worker. You may feel safe because you believe that since he cannot read your password, then he can not access it. This false sense of security would likely lead you to ignore the best practices while sharing — ex. changing the password every time that you remove someone from sharing. In other words, you would probably continue to use your no-longer-safe password.
Without knowing any programming language, your co-worker could load a login page, run a simple Javascript snippet like the one above, click the button that starts the autofill… et voilà, he’d know your top-secret “masked password”.
There are plenty of other techniques that a person could use to capture a password field from within his browser. The real take away here is that you understand it is not possible to truly mask a password that transits in the browser of a user. So please, don’t tempt fate. Change your password every time it is necessary, for example and most especially, immediately after you stop sharing the password with another User.