Prevent user to find password through Firebug/Chrome Dev Tools

Question

For the passport input field:

Answer 1

The premise of this question is that the client computer is compromised and is being used by someone who should not have access. Assuming that a password manager is in use (such as Chrome's) which does not require a master password before each login form auto-fill, there is nothing you can do to prevent the attacker from gaining access to accounts.

You are trying to solve a problem at the application level when the access problem is deeper than that.

Suppose Bob forgets to log out of his computer. An attacker (Eve) stumbles upon his open Windows session and wants to gain access to his PayPal account. Bob uses a password manager for multiple accounts, including his Gmail, Paypal, and Reddit accounts. Suppose PayPal took application level precautions to prevent Eve from learning Bob's password from a password manager's auto-filling. Eve thinks she will only be able to have control of Bob's PayPal account for as long as it takes for Bob to return. But then, Eve notices PayPal's password reset link feature. Bob's email account is also compromised because his password for it is also in the password manager. With access to Bob's email account, Eve can reset any of Bob's passwords that she wants. She could maintain access by installing a keylogger on Bob's computer.

Bottom line, the security concerns you are trying to address are beyond your power to address (assuming a conventional username password model). Even without assuming anything about your application, Eve has physical access to Bob's computer, so she could compromise it in a multitude of ways.

If you make your users use two factor authentication (send them a code via text message via Twilio), make them carry around a hardware usb key, etc...you will increase security and avoid the password manager problem at hand.

But ultimately, you face a trade-off of security and usability. If Bob is too lazy/forgetful/apathetic/negligent to log out of his PC, no amount of JavaScript you write can save him.