The Microsoft Edge browser, Edge Legacy, and Internet Explorer all offer a convenient mechanism for users to unmask their typing as they edit a password field:
Clicking the little eye icon disables the masking dots so that users can see the characters they’re typing:
This feature can be very useful for those of us who often mistype characters, and is especially important for users with various accessibility needs that can make error-free typing especially challenging. Keyboard users can hit ALT+F8 to toggle the reveal feature without using the mouse.
Nevertheless, Web Developers may disable this feature (for instance, if they offer their own version) by targeting the -ms-reveal pseudo element on an input type=password field:
.classNoReveal::-ms-reveal {
display: none;
}
If a site offers its own “reveal” feature, it should use CSS to hide the built-in feature to avoid confusing UI like this one:
Alternatively, sites may customize the Password Reveal Icon to better match their visual style.
Edge Legacy and Internet Explorer also respect a Windows policy (DisablePasswordReveal) that removes the password reveal button in various places throughout the system, including Edge Legacy and Internet Explorer. Some security configuration guides suggest setting this policy, arguing “Visible passwords may be seen by nearby persons, compromising them.” This is literally true; it is also true that such nearby persons might simply watch as the user’s fingers as they type in their password manually.
Notably, this Windows policy is not respected2 by Edge 79 and later, so we’ve had a few questions about that. I’d like to point out a few non-obvious characteristics of this feature that might assuage security concerns.
The most obvious attack that administrators are worried about is that a passerby might use this mechanism to steal auto-filled passwords from an unlocked, unattended computer. This concern is misplaced1: when the browser’s Password Manager autofills a password, the reveal icon is removed:
The PasswordInputType code is smart too– an attacker cannot get the icon to appear by simply adding or deleting a few characters, it only reappears after the user completely removes all of the characters in the input field. The icon is hidden if the field is modified by JavaScript, and it’s hidden if focus leaves the input field.
All of these protections mean that the Password Reveal icon is unlikely to be abusable in any meaningful way. Of course, typing passwords at all is an anti-pattern– use the Password Manager to mitigate phishing attacks, and eliminate the use of passwords wherever possible.
-Eric
1 Notably, while concern about the reveal button is misplaced, it’s entirely possible to steal your own password using the Developer Tools or by running JavaScript from the omnibox.
2 In Edge 87, we added an Edge-specific Group Policy to suppress the reveal button. You shouldn’t use it.
text/plain 
Would have been cool if the following was possible:
input[type=’password’] {
text-decoration: red bullet src(‘images/eye.png’);
}
Which would draw red bullets/dots and replace the default “eye” with the specified image.
We’ve had to remove the MS reveal and add our own not only for revealing cross-browser, but because the MS one is mouse-only :(
If it’s going to remain in Edge, it would be nice if it became a full, focusable, named control.
As noted in the post, there’s a keyboard hotkey (Alt+F8) for the reveal icon. Putting it in the tab order is an interesting idea, although it might be surprising to users who are accustomed to using tab to get to the Submit button.