Ask Slashdot: Is Password Masking On Its Way Out?

New submitter thegreatbob writes: Perhaps you've noticed in the last 5 years or so, progressively more entities have been providing the ability to reveal the contents of a password field. While this ability is, in many cases (especially on devices with lousy keyboards), legitimately useful, it does seem to be a reasonable source of concern. Fast forward to today; I was setting up a new router (cheapest dual-band router money can, from Tenda) and I was almost horrified to discover that it does not mask any of its passwords by default. So I ask Slashdot: is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?

Because of new "Not Secure" browser messages

[JoeCommodore]

If you get a password field on a web page the browser will display various scary looking messages depending of the security of the page.

Generally if its a local network page with an IP address (most router interfaces) having the password field will have the browser alert you the page is "Not Secure" of the address bar. If its a self signed certificate (which ads encryption between you and the browser, the message is even scarier with red fields or strikethroughs as a spoofed certificate COULD be playing a man in the middle confidence scheme. Only ones that get through this is devices that have set up proper certification.

So the easiest way to avoid a lot of the scary "not secure" address bar messages, is just do the login in plain text.

Re: what else do you think it does?

They do... now. Originally the value of fields was not visible in the DOM properties and could not be queried via window managers either. It's almost as if putting advertising companies in charge of browser security was a bad idea.