On Mon, Jul 11, 2011 at 9:29 AM, Sean Connelly <s...@pbwhere.com> wrote: > As a web developer, if I wanted access to the password, I would then avoid > using the <input type="password"> field, and create my own field that reads > characters (perhaps via onkeyup), and fakes a password field visually.
Then browsers wouldn't autofill it, which would defeat the nastiest attack here (stealing passwords without user intervention). But as noted, you can always submit the form, so it really doesn't help that much anyway.