Introduction
Password fields are one of the most common yet critically important form elements on the web. While the password input type (type="password") provides basic masking by default, users often need to verify what they've typed--especially on mobile devices where keyboard errors are common. This guide explores the various options for implementing password reveal functionality, from native browser features to custom implementations, with a focus on accessibility and security.
Modern UX standards recommend providing password reveal functionality to help users verify their input, reducing login failures and improving form completion rates. When building secure web applications, implementing intuitive form interactions like password reveal is essential for creating positive user experiences that drive conversions.
Understanding the Password Input Type
The <input type="password"> element provides one-line plain text editing with obscured characters. The masking character (asterisk, dot, or bullet) varies by browser and operating system. While password masking prevents shoulder surfing, it also makes verification difficult for users.
According to MDN's documentation on password inputs, the masking character and specific behaviors are controlled by the browser and operating system, ensuring consistent security behavior across platforms.
How Browser Password Masking Works
The browser renders replacement characters instead of actual input. Each character is replaced with a visual symbol (• or *) while the actual value remains in the DOM but is visually obscured. Autocomplete behavior for password fields is controlled by specific values that help password managers function properly.
Native Password Reveal in Browsers
Modern browsers like Microsoft Edge and Internet Explorer include a built-in password reveal button (the "eye" icon) that appears in the password field. This native functionality provides basic show/hide capability without any additional code. However, browser support varies significantly across Chrome, Firefox, and Safari.
1<div>2 <label for="pass">Password (8 characters minimum):</label>3 <input type="password" id="pass" name="password" minlength="8" required autocomplete="current-password" />4</div>5 6<input type="submit" value="Sign in" />Option 1: Native HTML Pattern
The simplest approach to password reveal uses the browser's built-in functionality. In Microsoft Edge and Internet Explorer, a small eye icon appears at the edge of password inputs. This feature is controlled by the browser and requires no additional markup or JavaScript from developers.
However, this native button is not available in Chrome, Firefox, or Safari, which is why most websites implement custom toggle buttons for consistent user experience across all browsers and platforms.
CSS Considerations for Password Fields
Custom styling for the reveal button, visual feedback states (show/hide), focus indicators for accessibility, and responsive design considerations all play a role in creating a polished user experience that aligns with modern web development best practices.
Option 2: JavaScript Toggle Implementation
The most common approach to password reveal involves a toggle button (typically an eye icon) that switches the input's type attribute between "password" and "text". This straightforward technique works across all modern browsers and provides complete control over the user experience.
As covered in Make Things Accessible's implementation guide, proper accessibility requires attention to ARIA attributes, keyboard navigation, and screen reader support to ensure all users can effectively use the password reveal feature. Building accessible forms is a core competency of professional web development services that prioritize inclusive user experiences.
1function togglePasswordVisibility() {2 const passwordInput = document.getElementById('password');3 const toggleButton = document.getElementById('togglePassword');4 5 if (passwordInput.type === 'password') {6 passwordInput.type = 'text';7 toggleButton.setAttribute('aria-pressed', 'true');8 toggleButton.setAttribute('aria-label', 'Hide password');9 } else {10 passwordInput.type = 'password';11 toggleButton.setAttribute('aria-pressed', 'false');12 toggleButton.setAttribute('aria-label', 'Show password');13 }14}HTML Structure for Toggle Button
Password reveal buttons require proper ARIA attributes to communicate their state to screen reader users. The aria-pressed attribute indicates whether the password is currently visible or hidden, while aria-label provides context about the button's action. Using aria-controls connects the toggle button to the password input it affects.
1<div class="password-field">2 <input type="password" id="password" name="password" required autocomplete="current-password" />3 <button type="button" id="togglePassword" aria-label="Show password" aria-pressed="false" aria-controls="password">4 <span class="visually-hidden">Show password</span>5 <svg aria-hidden="true" focusable="false" viewBox="0 0 24 24" width="20" height="20">6 <path d="M12 4.5C7 4.5 2.73 7.61 1 12c1.73 4.39 6 7.5 11 7.5s9.27-3.11 11-7.5c-1.73-4.39-6-7.5-11-7.5zM12 17c-2.76 0-5-2.24-5-5s2.24-5 5-5 5 2.24 5 5-2.24 5-5 5zm0-8c-1.66 0-3 1.34-3 3s1.34 3 3 3 3-1.34 3-3-1.34-3-3-3z"/>7 </svg>8 </button>9</div>1.password-field {2 position: relative;3 display: flex;4 align-items: center;5}6 7.password-field input[type="password"],8.password-field input[type="text"] {9 flex: 1;10 padding-right: 44px;11}12 13.password-field button[type="button"] {14 position: absolute;15 right: 8px;16 background: none;17 border: none;18 cursor: pointer;19 padding: 8px;20 min-width: 44px;21 min-height: 44px;22 display: flex;23 align-items: center;24 justify-content: center;25}26 27.password-field button:focus-visible {28 outline: 2px solid #0066cc;29 outline-offset: 2px;30}31 32.visually-hidden {33 position: absolute;34 width: 1px;35 height: 1px;36 padding: 0;37 margin: -1px;38 overflow: hidden;39 clip: rect(0, 0, 0, 0);40 white-space: nowrap;41 border: 0;42}Accessibility Requirements
Keyboard Navigation
Toggle buttons must be keyboard operable (Tab to focus, Enter/Space to activate). Maintain logical tab order in forms and never remove outline without providing a replacement focus indicator. Focus management is critical for users navigating via keyboard.
Screen Reader Support
Password reveal buttons require proper ARIA attributes to communicate their state to screen reader users. As detailed in Make Things Accessible's accessibility guide, use aria-pressed to indicate state, aria-label for context, and aria-controls to create the relationship between the toggle and input. Screen reader users need to know when password visibility changes, so announcements should be clear and immediate.
Live Region Considerations
For users of assistive technology, consider using a live region to announce password visibility state changes. This ensures users are immediately aware when their password becomes visible or hidden again. Accessibility is a fundamental aspect of quality web development that ensures all users can interact with your forms effectively.
Security Best Practices
HTTPS Requirement
Forms containing password fields must be served over HTTPS. Browsers implement security warnings for login forms served over insecure connections. Any page with a password field should ensure all resources load over secure connections. Mixed content warnings will degrade user trust and may prevent form submission.
Autocomplete Attributes
Use appropriate autocomplete values as specified in the MDN password input documentation:
autocomplete="current-password"for login formsautocomplete="new-password"for password creation/registration
Input Validation
Password fields support validation attributes that help enforce security policies:
minlengthandmaxlengthfor character limitspatternfor character requirements (uppercase, lowercase, numbers, symbols)requiredfor mandatory fields
Preventing Accidental Exposure
Consider implementing auto-hide functionality that re-masks the password after a period of inactivity. Display clear visual indicators when the password is visible to prevent accidental exposure in public spaces. Secure form implementation is essential when building web applications that handle sensitive user data.
Implementation Patterns
Pattern 1: Basic Toggle Button
The most common pattern places a small toggle button inside or adjacent to the password input field. This maintains familiar form layout while providing easy access to reveal functionality. The toggle is positioned within the input's padding area to maintain visual coherence.
Pattern 2: Checkbox Toggle
Some implementations use a checkbox labeled "Show password" placed below the password field. This approach sacrifices some visual space but provides a clear, unambiguous toggle option. It works well for forms where the toggle might otherwise interfere with adjacent form elements.
Pattern 3: Icon-Only Button with Tooltip
Modern implementations often use an icon-only button (eye or eye-slash) that reveals a tooltip on hover. This approach requires careful accessible labeling--use aria-label and aria-describedby to ensure screen reader users understand the button's purpose.
Pattern 4: Click-to-Reveal Input
In high-security contexts, some applications require users to click and hold the password field to reveal. This prevents accidental exposure but requires clear user education. Consider combining this with a "show for 30 seconds" option for better usability.
Missing Keyboard Support
Toggle buttons that can't be activated with keyboard break accessibility and prevent form completion for many users
No Focus Indicators
Removing outline without replacement leaves keyboard users disoriented and unable to navigate forms effectively
Poor Accessible Names
Icons without text labels are invisible to screen reader users, making the feature unusable for assistive technology
Inconsistent State
Button state that doesn't match actual password visibility causes confusion and undermines user trust
Mobile Considerations
Touch Target Size
Toggle buttons must have a minimum touch target of 44x44 pixels for comfortable mobile use. This is especially important for password reveal buttons that users may need to tap quickly while entering credentials. Position the toggle where thumbs can easily reach without stretching.
Performance on Mobile
JavaScript-based password reveal should be optimized for mobile devices with limited processing power. Avoid complex animations or layout changes during the toggle action. Event delegation and minimal DOM manipulation will ensure smooth performance across all devices. Test on lower-end devices to ensure responsive interaction.
Progressive Enhancement Approach
The password field should function as a standard masked input when JavaScript is disabled. With JavaScript, the toggle button becomes functional, providing the enhanced user experience. This approach ensures all users can complete forms regardless of their browser capabilities or JavaScript availability.
Feature Detection
Implement password reveal based on feature detection rather than browser detection. Check for the existence of password input support and ARIA attribute capabilities before adding toggle functionality.
Conclusion
Password reveal functionality has evolved from a nice-to-have feature into an expected standard in web forms. Users benefit from the ability to verify their input, reducing login failures and improving overall form completion rates.
The key is to balance user experience with security considerations, always prioritizing accessibility and progressive enhancement. Whether implementing a simple JavaScript toggle or a more sophisticated custom solution, attention to detail in keyboard navigation, screen reader support, and visual feedback will ensure the feature serves all users effectively.
By following the implementation patterns and accessibility guidelines outlined in this guide, developers can create password reveal features that are secure, accessible, and performant across all devices and browsers.
For professional web development services that implement best practices for form accessibility and security, contact our team to discuss your project requirements. Our experienced web development team can help you build secure, accessible forms that deliver exceptional user experiences.