This site uses cookies and other tracking technologies to make possible your usage of the website, assist with navigation and your ability to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide better user experience.

By using the website, you agree to our Privacy policy

Accept and continue

Report a bug

Cancel
92
How-to 8 min read September 26, 2019

What is <input type = "password"> and how does this field threaten the user's security

Using <input type="password"> on web pages with the HTTP protocol is unsafe because hackers can steal user data. User data protection is provided by using the HTTPS protocol.

Using <input type="password"> in data input forms on websites

The password input element <input type="password"> is designed to register users on websites. Normally, the text typed in by the user in this field is replaced for security reasons with special characters: stars or dots.

On mobile devices, the entered character is usually shown for a second so that the user can verify that the text typed on a small virtual keyboard is correct.

In this field, you can add an identifier or a name:
<input id="Pass_of_user" type="password">
<input type="password" name="my_password">
Transmitting data entered by the user over the insecure HTTP protocol is dangerous to transmit as this creates the risk of various hacker attacks.

There are the following options of unprotected use of user data:
1
When sending the form code via the HTTP protocol, a hacker can change this code and add a script to it that intercepts data. Also, a different address can be entered in the form to which the user's personal information will be sent.
2
If the data entered by a user is transmitted via the HTTP protocol, the information passes over the network in an unencrypted format. In this case, the user password can be intercepted by the system administrator, Internet provider and other persons.
3
Placing the form inside frames transmitted over HTTP, even if the main page is transmitted over HTTPS. With this option, the frame code can be stolen and modified.

Protecting user data using HTTPS

Due to the insecurity of the HTTP protocol, you must use HTTPS on any websites that utilize user data. This protocol is designed to protect users' personal data from interception and modification.

Browsers display warnings about the insecure connection to inform users of a potential threat on websites using the HTTP protocol. In Google Chrome, there is a more forceful wording:
Unprotected site connection in Google Chrome
One survey found that nearly half of users have a bad reaction to 'not secure' browser warning. However, 46% of respondents said that they would not enter their names or financial information into a website that was not secure, and 64% of survey participants said they would leave the website "instantly".

Resource insecurity warnings can also affect brand reputation. Given the aggregate evidence that the HTTPS protocol is a ranking factor and the impact of browser warnings on visitor behavior, experts unequivocally recommend switching to a secure protocol.

You must use an SSL certificate in order for the website not to have a message that scares potential customers; in that case, a browser message will inform you about the website's security:
Secure connection in Google Chrome

Why is it important to ensure the safety of users' personal data on all websites

There are situations when news and entertainment websites where visitors do not enter confidential and financial information do not treat storing data about usernames and passwords responsibly. In this case, there is a high threat to user security who use the same sets of logins and passwords on several websites.

Hackers can attack a news portal, obtain passwords and logins, and then use them on other websites containing important financial information, for example, online banking services. Accordingly, ensuring the security of personal data depends not only on the competent actions of website developers but also on the users themselves.

There are certain rules for using passwords that will minimize the risk of identity theft. Some data protection guidelines apply to website owners, others apply to users.

Recommendations for administrators:
1
The password length should complicate the hack by the exhaustive search method. The optimal length is more than six characters, among which there are letters of various cases, digits, and special characters.

The password entered by a user must be checked for compliance with these requirements.
2
Account blocking should be implemented on websites if the password is entered incorrectly for a particular number of times.

For example, if you type your password incorrectly three times, your account can be blocked for several minutes or longer. This will greatly complicate hacker attacks with password guessing.
3
Regular change of passwords after a certain period of time. A hacker may need over 90 days to crack a complicated and long password via password guessing.

Therefore, by inviting users to change passwords every 60 or 90 days, it is possible to ensure the safe storage of their personal data.
4
It's useful to rename administrator accounts from popular Administrator or Admin names to individual ones for website security reasons. It is also important that such accounts with wide authority have the most complex passwords which should be regularly updated.

Otherwise, there is a risk of being hacked by the automated password guessing (brute force) software.
5
You can audit passwords of the website users, trying to independently crack them with hacker tools. This will help to identify security problems before attackers do it and eliminate them by modifying the website or by pointing out to careless users at their mistakes.
Recommendations for users:

  • it is advisable to use meaningless combinations of letters and symbols that are not related to personal information;
  • passwords for different websites should be different. If you cannot remember them, you can use password managers. However, in this case, you must carefully select a complex password for this tool.

You can install LastPass: Free Password Manager that allows storing passwords, addresses, and other data securely for auto-filling forms:
Password Manager LastPass: Free Password Manager for Google Chrome

Conclusion

1
The security of transferring and storing user data is one of the priorities in the operation of any website.
2
You can protect your personal data using the HTTPS protocol.
3
It is important to monitor the strength of passwords entered by users by adding appropriate checks and recommendations.
4
It is useful to regularly suggest changing the password in user accounts to mitigate the risk of cracking them.
5
Administrator passwords should be as complex as possible, you must remember to change them as often as possible.
This article is a part of Serpstat's "Site Audit" tool
SEO Audit in Serpstat
Audit all the site or page in one click. A complete list of errors, sorted by severity, ways to resolve them and recommendations. Any frequency of verification and automatic email reports.
Run Site Audit

Learn how to get the most out of Serpstat

Want to get a personal demo, trial period or bunch of successful use cases?

Send a request and our expert will contact you ;)

Rate the article on a five-point scale

The article has already been rated by 0 people on average out of 5
Found an error? Select it and press Ctrl + Enter to tell us

Share this article with your friends

Sign In Free Sign Up

You’ve reached your query limit.

Or email
Forgot password?
Or email
Back To Login

Don’t worry! Just fill in your email and we’ll send over your password.

Are you sure?

Awesome!

To complete your registration you need to enter your phone number

Back

We sent confirmation code to your phone number

Your phone Resend code Queries left

Something went wrong.

Contact our support team
Or confirm the registration using the Telegram bot Follow this link
Please pick the project to work on

Personal demonstration

Serpstat is all about saving time, and we want to save yours! One of our specialists will contact you and discuss options going forward.

These may include a personal demonstration, a trial period, comprehensive training articles & webinar recordings, and custom advice from a Serpstat specialist. It is our goal to make you feel comfortable while using Serpstat.

Name

Email

Phone

We are glad of your comment
Upgrade your plan

Upgrade your plan

Export is not available for your account. Please upgrade to Lite or higher to get access to the tool. Learn more

Sign Up Free

Спасибо, мы с вами свяжемся в ближайшее время

Invite
View Editing

E-mail
Message
Optional
E-mail
Message
Optional

You have run out of limits

You have reached the limit for the number of created projects. You cannot create new projects unless you increase the limits or delete existing projects.

I want more limits