Re: Show/hide toggle to reveal masked password

Hi Lisa

I'll tack onto  Léonie's comments by noting that at one time there was some
discussion of creating an ARIA role of password (role="password") which a
number of us objected to at the time, fearing misuse of the strong
semantics of that proposed role. It could have made a text input appear to
be a password field to non-sighted users ONLY (since ARIA overrides native
semantics) which could have been a serious security issue because of that.

While I can appreciate that there may be instances where users may want to
see/hear what password they are entering is, overall I think that
encouraging the use of a password manager (which supports REALLY STRONG
password strings that you never have to remember yourself) is a far better
strategy overall - the current ability we see on some sites to expose
hidden passwords would seem to me to be weakening the point of a password
field in the first place - but that's just me.

Another $0.02 worth of feedback.

JF

On Mon, Jul 11, 2022 at 11:43 AM Léonie Watson <lwatson@tetralogical.com>
wrote:

> The masking is done for privacy and security, and as a screen reader user
> I like that I'm afforded the same protections as everyone else. If you use
> the standard HTML password field the browser automatically handles this for
> everyone.
>
>
> You're right that it can sometimes be difficult to enter passwords that
> are masked, especially if you do not use a password manager, which is why
> giving people the option to show their passwords is a good idea.
>
>
> But I would strongly caution against making passwords visible by default
> because it removes those protections and takes the choice away from
> consumers.
>
>
> Léonie.
>
>
>
> On 11/07/2022 15:59, Lisa Spirko wrote:
>
> Hello all,
>
>
>
> I have been unable to find information about this on the W3C/WAI site:
> Password masking (e.g., with asterisks or bullets) and the show/hide toggle
> that I believe should be used to show the actual password.
>
>
>
> Most password fields use masking characters, and without this toggle,
> screen readers read the masking characters (“star star star star…”), not
> the actual characters being typed. This seems to me to be a significant,
> severe accessibility issue because screen reader users are unable to
> confirm that the password they’re entering is correct. Essentially, this
> issue renders the entire system inaccessible because the screen reader user
> cannot even access it. I hope you’ll consider adding information about this
> to the site and guidelines.
>
>
>
> The W3C/WAI pages I have found so far on passwords do not mention this at
> all, but I’m looking for information to pass along to a development team.
> Any guidance on this is welcome.
>
>
>
> Thanks,
>
> Lisa
> ------------------------------
>
> The information contained in this e-mail may be privileged and
> confidential under applicable law. It is intended solely for the use of the
> person or firm named above. If the reader of this e-mail is not the
> intended recipient, please notify us immediately by returning the e-mail to
> the originating e-mail address. Availity, LLC is not responsible for errors
> or omissions in this e-mail message. Any personal comments made in this
> e-mail do not reflect the views of Availity, LLC..
>
> --
> Director @TetraLogicalhttps://tetralogical.com
>
>

-- 
*John Foliot* |
Senior Industry Specialist, Digital Accessibility |
W3C Accessibility Standards Contributor |

"I made this so long because I did not have time to make it shorter." -
Pascal "links go places, buttons do things"