Mask passwords in settings page

I noticed that when editing the MQTT password field, my browser was suggesting me a previously entered password because the input type field is a text field.

These can be masked by changing the input type to password and I believe the browser will then no longer suggest them. I’m not sure if this is changed in 2.5, because I have not yet installed it and the screenshots do not show the detailed MQTT settings screen.

There isn’t real solution for that.
Password manager or different browser will identify an input password and auto-complete with a previous password. You can set autocomplete-off but not all browser support it.

On another project with admin settings and such password, to avoid such auto complete, we just removed any password/autocomplete settings on the input, set a css class on it, and this css class set input font to a font with only point to not display it clear. This was the only universal solution we found after many different tests.

input.inputPassword  {
  font-family: "text-security-disc" !important;
  letter-spacing: 2px;

Such font can be found here for example:

I’ve at least marked them as type=password in the HTML for now. Not sure if that will help, but should be a step in the right direction.

That sounds like good approaches to me :+1:

Perhaps we can tackle the Home Assistant API password and token as well in this way.

1 Like