How to mask (eg. xxxx) user input for "password" typing

@akelad: How to mask the password input from the user using “…” or “xxx” as input type as “password” when we use form in FormAction? This is very important as the user credentials shall be protected for financial transactions.

1 Like

this is something that’s up to you to implement in the front end. i wouldn’t really advise asking for users passwords in a chat though, most of them won’t provide it and also it’s insecure

@akelad, Thanks for your clarification. But still we need to implement the password through the bot as this is for banking industry. Let me try different ways and let you know.

Hi

i am also looking for the same if you found solution can you please share with me

What options are you looking at to solve this? I have to accept masked input in the middle of a conversation (I can’t do at beginning). So I was just going to put up a web view in the middle of the dialog. This is quite easy to do with FB Messenger.

1 Like

From a security perspective. I would say use account linking in Facebook/Google using oAuth. Much better option.

Hello @akelad,

Could you plz explain to me why it’s insecure when asking for login and password? What is the difference between a simple form created with HTML and a chatbot form (Rasa form)? In both cases, the data will be sent to the backend which will do its encryption. The only difference I can see, is the masking of the password with HTML input sections (***) otherwise it’s the same.

Thanks in advance.

If i may chime in, for a better omni channel experience, use oAuth or MFA, in facebook/google, you can do account linking while in a front end, you can implement a webview that handles authentication.

this way, users don’t have to give passwords in plain text. it is okay to have e2e encryption when you control the front end and as well as the tls certificates and can even do M-TLS but once you would want to integrate another channel, the best experience so far is either MFA or oAuth so to remain consistent across all channels, oAuth or MFA is the best way to go

1 Like

Hey @souvikg10,

Thank you for your reply.

Yes, I agree with you that account linking is a very good solution. I’m just wondering if the login is not an email and we cannot do an account linking, so we have to implement a form. My question is, implementing a form could be more secure than using a chatbot? I think it’s the same except for the letters masking of the form.

Thanks in advance.

There are no issues, you can do it in a chatbot in a custom front-end of your own. but you need to look at chatbots as an omnichannel interface and thus be consistent on your approach for a conversation.

Writing plain text passwords on a custom front-end which has a limited state is probably fine but messenger/google assistant saves all conversations and most users(including myself), wont share an app password in messenger. there is also a risk of fraud( in finanical services) , i can very easily tweak page names and collect passwords without the user knowing the difference. Facebook pages are notorious and can be a big source of fraud.

2 Likes

Got it. Thank you so much!

hello @souvikg10 i’m building chatbot for college students where students need to login to use bot.How can i encrypt/make password invisible on chatbot window.please help me!!

hello @akelad could you please help me to find solution for above issue. I want to make encryption when user inputs and click on submit button it has to call python function and make encryption then display on chatbot window.

this looks very much a front end implementation… you can simply read off the action returned by the bot in the front end or the question to be asked next and simply anticipate that the characters in the answers to be replaced by *

or else a more secure way to do this is what i explained above - webviews, open a small popup and collect the password in a form with masked input, this way you chat interface don’t log plain text password and you are prepared for future interfaces like FB etc

1 Like