The reveal password is really useful but it have some security implications that should be handled:
Reveal toggled on
If someone wants to learn another person password it might toggle the reveal password functionality and wait. To prevent this we need to address two issues:
- Disable the reveal password with a timer, 10s should be enough to correct any misspellings, 20s to be safe or may be even 30s, but it should be disabled after that. Alternatively, the toggle could work as a push button, that reveals the password while you hold the button or the F8 key.
- Reveal status should be highlighted clearly, may be just making the icon bright red so the user notice that clearly if he sits on the keyboard. (the current icon is hardly noticeable).
Reveal passwords already entered
The other possible scenario is the user that left the password half away, because of an interruption... a new user should not be able to read the part of the password already entered, to fix that just clean the password field with a timer after the last key-press, 30s should be enough, but 1m is a safe time.
Keep the UX nice
The proposed changes are small improvements, but focus mainly on keeping the usage friendliness of the interface.
The reveal password is really useful but it have some security implications that should be handled:
Reveal toggled on
If someone wants to learn another person password it might toggle the reveal password functionality and wait. To prevent this we need to address two issues:
Reveal passwords already entered
The other possible scenario is the user that left the password half away, because of an interruption... a new user should not be able to read the part of the password already entered, to fix that just clean the password field with a timer after the last key-press, 30s should be enough, but 1m is a safe time.
Keep the UX nice
The proposed changes are small improvements, but focus mainly on keeping the usage friendliness of the interface.