brucie said:
whats wrong with type="password"?
If you ask me, it prevents the user from seeing what he types and
thereby makes it more probable that he needs to type it twice, or
several times, thereby increasing security risks. Of course, it also
makes it awkward to log in. This gets rather mad if the password is
long - the new (!) system of public libraries in the Helsinki area
treats both the customer id (14 digits) and the PIN code (4 digits) as
passwords!
Risks are also increased by the fallacious belief that such effects
actually protect the data. In reality, the password is sent unencrypted
over the network, just as other fields are.
On the other hand, maybe in this case bad practice becomes good
practice by its being so common. That is, users are _accustomed_ to
seeing their input munged into *********** when typing a password, and
they might even think that a page is not secure if it doesn't do such
munging!