Also, Jon, in the case where you imagine “someone” copying the text from the password field.
I guess I did not realize that you’re using this for two cases:
- While entering.
- Displaying the entered password later.
All of what I wrote in my posts before was for case 1. There, I think, in most cases it’s still not necessary to even hide the typing.
However, for case 2 you seem to be making a big security mistake, and that’s a common one:
If you consider showing the previously entered actual password later again in a listbox, then that means that you’re storing the password somewhere. That’s a big security flaw. An entered pw should never be stored anywhere. Instead, you should use the once-entered pw to encrypt something, and then only store the encrypted information. Later, if the user wants to access that secured data, you let the user re-enter his pw, and instead of you comparing that to your stored copy, you decrypt that data and thereby tell whether his pw is correct.
Of course, there are cases where you need to know the real password because you’ll pass that on, e.g. to open a database connection. In that case, still, the safer way would be to use what I just explained: You’d let the user enter that DB password, but encrypt that right away with another password the user has to enter at some time when using your app.
When you go this path, then yes, you’d end up with a password you can know and even show to the user. But if you do that, you’d leave the decrypted password inside your app, having it stored in plain view. A hacker could find that. If you store that password in an EditField, even if the “password” property is checked, it’s easy to read it out, e.g. by using “F-Script”, which is able to browse all Cocoa elements using a nice UI browser.
So if you are really concerned about securing passwords, never put the decrypted password anywhere, espcially not in user interface elements, even if they APPEAR to be inaccessible. They are, because you stored the text there, and it’s in there somewhere.
Okay, enough of this. It’s your software, I just thought you should now all the options.