First some facts…

Fact 1:
None of us can remember the passwords for the dozens of web sites we re all registered on. That is why web browsers all optionally store logon information and automatically fill out logon pages when we revisit a site.

Fact 2:
Web browsers do all support a special type of input control type specifically for passwords. Nothing entered into a password field is displayed, any characters are all displayed as asterisks. This prevents the password from being observed, either when it is first typed nor when it is automatically entered on subsequent visits to the page.

Fact 3:
Most web browsers allow you to type Javascript code into the address bar. This code is run in the context of the currently displayed document and has access to the object model.

Hmmmmmmmm…

The following Javascript can be pasted into the address bar of most browsers. It will show an alert box that displays the contents of any password field on the page.

This is not the major security hole that you may think at first. If you are sitting at somebody’s computer looking at their webmail logon screen with the password field filled in then you already have access to their account – you don’t even have to know what the password is. However, knowning the password could be handy if you think that they have used the same password for other things, like a bank account.

My advice is not to save logon information for important sites when the browser asks you. Using a different password for each site that could cost you money or reputation if compromised is also a good idea.