Is the option to jump to blanks in password fields a security risk?
No that is not a security risk.
Having stored passwords in a browser is a security risk. Letting an attacker access your computer between when you've typed in the password and before it is submitted is a security risk (and even after you've submitted it, you need to worry about theft of valid session cookies). Being able to jump to blanks/special characters in a typed in password is not a risk.
After a password has been typed in the password field, its in the browsers DOM and only takes the least bit of effort to extract the full value out from it. E.g., if you go to the developer's javascript console (e.g., in chrome/linux type Ctrl-Shift-J) and type in (you can skip the comment lines that begin with //
):
var inputs = document.getElementsByTagName('input');
// find all <input> elements in the page
for ( var i = 0; i < inputs.length; i++) {
// loop through all <input> elements
if (inputs[i].getAttribute('type') === 'password') {
// find input elements with attribute type="password"
console.log(inputs[i].value);
// print the values of these password elements to the screen.
}
}
It will print to the screen whatever text is typed into any password fields. (This code is equivalent to the jQuery $('input[type=password]').value
, which will work if the webpage has loaded jQuery).
You could just type the word javascript:
in the location bar and then paste
var inputs=document.getElementsByTagName('input'); for( var i=0; i < inputs.length; i++ ) { if (inputs[i].getAttribute('type') === 'password') alert(inputs[i].value) }
into the location bar and whatever text is in any password field will be alerted to you. (Note most browsers will remove the javascript:
part if you try to paste the full URL, so you will have to type it.
javascript:var inputs=document.getElementsByTagName('input'); for( var i=0; i < inputs.length; i++ ) { if (inputs[i].getAttribute('type') === 'password') alert(inputs[i].value) }
Yes, is a security risk, but exploiting it is very unlikely.
It can be exploited this way:
Someone uses your computer without you around
Have enough time to open IE
Connects to a website with a saved password
Gets the profile of your password and goes away
If the intruder have enough time to do all the above, it would be way faster and simpler to download a keylogger, install it, give all the permissions on firewall, have the antivirus ignoring it, and leave.
So, if you are thinking about the password profile, you have more serious problems to think about.
The password is not displayed on screen to avoid shoulder-surfing attacks but it is still of course known to the browser. When you use a password store, it gives the actual password to a requesting application and not a hash or encrypted version of it (that'd be very untractable to use).
If someone is close enough to you that they can use your keyboard to see whether you typed words or not then they are close enough to shoulder surf your keystrokes and your password's security is already compromised.