Newer browsers notify users when a login form will be sent over an insecure connection. But some websites are replacing password boxes with plain text inputs to avoid triggering the warning – and using a special font, where all the characters are circles, to fool their users.
Troy Hunt makes an example of ShopCambridge.ca:
Frustrated by Firefox's pesky security warnings about insecure login forms scaring your users? Try this one neat trick by @shop_cambridge! pic.twitter.com/FlrotYe1De
— Troy Hunt (@troyhunt) October 31, 2017
And as you’ve probably guessed by now, that “font” is nothing other than a single disc per character designed to be a visual representation of the real disc you’d normally see when entering text into a proper password field. It needs to work in this order because otherwise the place holder would no longer say “Password” and you’d instead see 8 round discs representing the letters of the word. The bottom line is, once all this is tied together then there’s the veneer of a password field but because it isn’t a password field, there’s no browser warnings! It’s like magic! More specifically, it’s a pseudo password field designed to fool the user and deny them of the browser’s visual warning designed to protect their password.
The craft involved is such that it can’t be explained by sheer laziness. It’s a peculiar mix of paranoia, marginal competence and the Dunning-Kruger effect.
Hahahaha.