I disagree that most users always look at the form field as they type. Many people who can't touch type will look at the keyboard while typing, and if it's a site they're familiar with they may not bother to check their text entry before pressing return. In many login pages the cursor is automatically placed in the username field, so a user can simpy type username password - this might also catch out experienced users who don't pay proper attention to the page due to it's familiarity.

Even if they do check before submitting, presumably some javascript could be used to read the keystrokes as they're typed.

Admittedly this is only likely to work on a fairly simple form, like a simple login, but I think it's not as unlikely as you suggest.





[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/274/28944#28944