Missing Password Field Masking

Description

This vulnerability occurs when an application fails to hide password characters as they are typed, making them visible to anyone who can see the screen. This exposes user credentials to onlookers or screen-capturing malware.

Extended Description

Password masking is a fundamental security feature that protects credentials from 'shoulder surfing'—where someone physically observes the screen—and from software that may capture screen content. When this visual protection is missing, even a brief exposure can lead to a compromised account, as passwords are entered in plain sight. For developers, the fix is straightforward: always use an input field with its type attribute set to 'password' in HTML, or the equivalent secure text entry component in your chosen UI framework. This ensures the field automatically obscures each character, typically with dots or asterisks, providing a critical layer of privacy during authentication without affecting functionality.

Common Consequences 1

Scope: Access Control

Impact: Bypass Protection Mechanism

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 1

Phase: ImplementationRequirements

Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.

References 1

24 Deadly Sins of Software Security

Michael Howard, David LeBlanc, and John Viega

McGraw-Hill

2010

ID: REF-44