Okay this is terrible - this falls right in line with Windows 95's password field being crackable by SPY++. Back then the approach was, the password textbox would simply mask the password with * characters. So you could get a handle to the window that was the password field, and then simply get the title of the window - and that was the password LOL.
Well, that was almost too easy, so they fixed it in Windows 98.
But here is something just as terrible (well atleast 20% as terrible).
They advise you to have complex passwords, right? So instead of having a simple password such as "approach", you should have a password like "appr0@ch".
Okay, so the complex password has both numbers and complex characters.
It would make my life a hella lotta easier if I knew the positions of the complex characters eh? ;-),
So here is how you do it - demo'ed on Hotmail's loginid/password field.
I'm gonna type in the password appr0@ch in the password field, and place my cursor at the very beginning of the password text field. Here is how it looks -
Now, very carefully, press CTRL+ Right Arrow Key. Here is how it looks -
LOL, see where the cursor is?
Yep - that's where the "0" character was. Press CTRL+Right arrow key once again, and that takes you where the "@" character was.
Now, since the set of complex character that you can type out of your keyboard is actually smaller than ascii characters, I have already limited atleast two character spaces to a smaller set of possibilities. So as you can see, using complex characters actually weakens your passwords ;-). Now 99/100 cases, that complex character is a mnemonic. So I could write a program to guide my brute force cracking mechanism. BAH!
(I sniff a security update soon .. sniff! sniff!)
Update: Per the feedback, apparently this happens only in IE/HTML textbox. Still nasty nonetheless!