Educational

Password Fields and Obscure

by

Saim Khalid
in

Passwords are one of the most sensitive types of data in mobile applications. Every app, whether it is a social network, banking app, or an e-commerce platform, requires secure handling of user credentials. Flutter provides built-in tools that make password field creation both easy and secure.

In this in-depth article, we will cover:

  • How to use obscureText: true to hide user input.
  • Building a show/hide password toggle.
  • Adding validation for strong and secure passwords.
  • Real-world examples of login and signup forms.
  • Best practices for handling password input.

By the end of this guide, you will have everything you need to build secure, user-friendly password input fields in Flutter.

Introduction to Password Fields in Flutter

A password field is simply a text input field where the entered characters are hidden to prevent shoulder surfing or accidental exposure of sensitive information.

In Flutter, the TextField and TextFormField widgets can be configured as password fields by using the obscureText property.

Using obscureText: true

The simplest way to create a password field in Flutter is by setting obscureText: true. This ensures that whatever the user types is replaced by dots or asterisks.

Example

TextField(
  obscureText: true,
  decoration: InputDecoration(

labelText: "Password",
  ),
)

In this example:

  • obscureText: true ensures that the typed characters are hidden.
  • The user can type normally, but the displayed result is masked.

Why obscureText is Important

  1. Security
    Prevents nearby people from seeing sensitive information.
  2. User Expectations
    Every password field should hide input by default; this is a standard across applications.
  3. Prevent Accidental Sharing
    Helps avoid showing passwords during presentations or screen sharing.

Toggle Show/Hide Password

While obscureText: true is secure, users often want to see their password before submission to avoid typos. A common UX pattern is to provide a show/hide password toggle.

Implementing a Password Toggle

To build a toggle, you need:

  • A StatefulWidget to manage the password visibility.
  • A boolean variable to track visibility state.
  • A suffix icon button to switch between hidden and visible states.

Example: Toggle Password

class PasswordField extends StatefulWidget {
  @override
  _PasswordFieldState createState() => _PasswordFieldState();
}

class _PasswordFieldState extends State<PasswordField> {
  bool _isObscure = true;

  @override
  Widget build(BuildContext context) {

return TextField(
  obscureText: _isObscure,
  decoration: InputDecoration(
    labelText: "Password",
    suffixIcon: IconButton(
      icon: Icon(
        _isObscure ? Icons.visibility_off : Icons.visibility,
      ),
      onPressed: () {
        setState(() {
          _isObscure = !_isObscure;
        });
      },
    ),
  ),
);
  }
}

In this example:

  • _isObscure tracks whether the password is hidden.
  • An IconButton toggles the state.
  • The user can tap the icon to reveal or hide the password.

Why Add a Toggle?

  • Reduces frustration by letting users confirm what they typed.
  • Prevents failed logins due to typing mistakes.
  • Improves accessibility, especially on small mobile keyboards.

Validation for Strong Passwords

Password validation ensures that users create secure and reliable passwords. Without validation, users might set weak passwords that compromise security.

Adding Validation with TextFormField

Flutter’s TextFormField works with the validator property when placed inside a Form. You can enforce rules such as:

  • Minimum length.
  • Must contain uppercase, lowercase, numbers, and special characters.

Example: Strong Password Validation

class SignupForm extends StatefulWidget {
  @override
  _SignupFormState createState() => _SignupFormState();
}

class _SignupFormState extends State<SignupForm> {
  final GlobalKey<FormState> _formKey = GlobalKey<FormState>();

  @override
  Widget build(BuildContext context) {

return Scaffold(
  body: Padding(
    padding: EdgeInsets.all(16),
    child: Form(
      key: _formKey,
      child: Column(
        children: &#91;
          TextFormField(
            obscureText: true,
            decoration: InputDecoration(labelText: "Password"),
            validator: (value) {
              if (value == null || value.isEmpty) {
                return "Password is required";
              }
              if (value.length &lt; 8) {
                return "Password must be at least 8 characters";
              }
              if (!value.contains(RegExp(r'&#91;A-Z]'))) {
                return "Include at least one uppercase letter";
              }
              if (!value.contains(RegExp(r'&#91;a-z]'))) {
                return "Include at least one lowercase letter";
              }
              if (!value.contains(RegExp(r'&#91;0-9]'))) {
                return "Include at least one number";
              }
              if (!value.contains(RegExp(r'&#91;!@#\$&amp;*~]'))) {
                return "Include at least one special character";
              }
              return null;
            },
          ),
          SizedBox(height: 20),
          ElevatedButton(
            onPressed: () {
              if (_formKey.currentState!.validate()) {
                print("Password is valid");
              }
            },
            child: Text("Sign Up"),
          )
        ],
      ),
    ),
  ),
);
  }
}

This enforces a strong password policy, guiding the user toward better security.

Real-World Example: Login Form with Password Field

A login form usually requires:

  • Username or email input.
  • Password input with hidden text.
  • A show/hide password toggle.

Example

class LoginForm extends StatefulWidget {
  @override
  _LoginFormState createState() => _LoginFormState();
}

class _LoginFormState extends State<LoginForm> {
  final GlobalKey<FormState> _formKey = GlobalKey<FormState>();
  bool _isObscure = true;

  @override
  Widget build(BuildContext context) {

return Scaffold(
  body: Padding(
    padding: EdgeInsets.all(16),
    child: Form(
      key: _formKey,
      child: Column(
        children: &#91;
          TextFormField(
            decoration: InputDecoration(labelText: "Email"),
            validator: (value) {
              if (value == null || !value.contains("@")) {
                return "Enter a valid email";
              }
              return null;
            },
          ),
          TextFormField(
            obscureText: _isObscure,
            decoration: InputDecoration(
              labelText: "Password",
              suffixIcon: IconButton(
                icon: Icon(
                  _isObscure ? Icons.visibility_off : Icons.visibility,
                ),
                onPressed: () {
                  setState(() {
                    _isObscure = !_isObscure;
                  });
                },
              ),
            ),
            validator: (value) {
              if (value == null || value.isEmpty) {
                return "Enter your password";
              }
              return null;
            },
          ),
          SizedBox(height: 20),
          ElevatedButton(
            onPressed: () {
              if (_formKey.currentState!.validate()) {
                print("Login successful");
              }
            },
            child: Text("Login"),
          )
        ],
      ),
    ),
  ),
);
  }
}

This login form:

  • Hides the password by default.
  • Provides a toggle to show/hide the password.
  • Validates input for both email and password.

Best Practices for Password Fields

  1. Always use obscureText: true
    • Never display password input as plain text by default.
  2. Add a show/hide toggle
    • Improves usability without sacrificing security.
  3. Implement strong validation rules
    • Encourage secure passwords by enforcing length and complexity.
  4. Use Form and GlobalKey for validation
    • This provides structured handling for multiple fields.
  5. Avoid storing plain text passwords
    • Always encrypt or hash passwords when sending to a server.
  6. Provide helpful error messages
    • Instead of just saying “Invalid password,” guide users by specifying missing requirements.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *