[byuu]

I doubt most will even go that far. You can pretty much expect those that won't go HTTPS (for whatever reason, and there are many) to change their input type="password" fields to input type="text" fields.

That is probably what I am going to do for the internal site I maintain at work, since I can't get an SSL certificate for such a thing.

All this change is going to do is make password eavesdropping in person easier.

[niij]

If it's hosted in local IP space and therefore you can't get a certificate, you can setup a CA and push that CA certificate through Group Policy. I had to do it myself and it took 3-4 hours (mostly because I'm bad at Group Policy)

[byuu]

The problem is that I'm a developer on a team of six. And my site is used by another five or six teams. It's a little tools site that does various SQL queries and such against databases other teams don't have access to. They're not going to allow me to push my signing certificate onto everyone's computers. I'm very low on the org chart.

[niij]

Well I assume in a companywith that many teams they would have already came across a need to manage their own simple, internal CA. Maybe you can be the person to set it up, trust me it's scarier than it looks

[rogerdpack]

oh yeah text field, that's an interesting option and people might even use it as an easy work around [LOL]. I guess you could make the viewable size like 1 char then it won't be much worse than inputting it from a smart phone. Except for the large screen people can see from behind you LOL.

I guess people could do self signed certs that expire in "100 years" but you're right, even installing those can be super painful, and people may not go that far. Of course, initially what people will do is "nothing" and just let the insecure message appear, since it doesn't actually block any functionality seemingly...