Standard Joomla XML Field Type - Password

The password field type creates a secure input field where characters are masked (hidden as dots) to prevent shoulder surfing. In Joomla 4.x, 5.x, and 6.x, the field automatically integrates with the Password Policy system, providing built-in password complexity validation and a visual strength meter.

Important: This field is responsible only for visually masking the input during typing. It does not encrypt data upon saving. If the value is saved in parameters (params) or the database, it may be stored in plain text unless additional hashing is implemented at the PHP code level of the extension.

Field Attributes

Below are the main attributes supported by the URL field type. Use them inside the <field> tag of your XML manifest.

Attribute	Type	Description
`name`	string	Required. Unique system identifier for the field. Used to retrieve the value in PHP ($input->get('name')).
`type`	string	Required. Must be set to "password". Defines the field type and its behavior (input masking).
`label`	string	Field label visible to the user. Can be a language constant (e.g., JGLOBAL_PASSWORD) or plain text.
`description`	string	Tooltip or description text. In Joomla 3, it appeared as a tooltip on hover. In Joomla 4/5/6, it is usually displayed below the field or depends on the form layout.
`required`	boolean	Makes the field required. If true, the form cannot be submitted without a value. Possible values: true, false.
`validate`	string	Data validation rule. For passwords, validate="password" (complexity check) or validate="equals" (for password confirmation) is often used. In J4+, it is integrated with the core Password Policy.
`strengthmeter`	boolean	Enables the display of the password strength indicator (Strength Meter). Works out-of-the-box in Joomla 4/5/6. Ignored in Joomla 3.x. Values: true, false.
`filter`	string	Input data cleaning filter before saving. For passwords, it is recommended to use filter="string" to preserve special characters while removing control bytes. Do not use alnum or cmd.
`default`	string	Default value. Warning: Never specify a real password in this attribute in plain text within XML files. It is usually left empty.
`showon`	string	Allows dynamically showing or hiding the field depending on the values of other form fields. Example: showon="enable_password:1". Works via JavaScript.
`maxlength`	integer	Maximum number of characters that can be entered into the field. An HTML-level restriction.
`min_length`	integer	Minimum password length for validation. Used in conjunction with validate. In J4+, it can override global password policy settings.
`size`	integer	Visual width of the input field in characters. Does not limit the number of characters entered, only the visible area.
`hint`	string	Hint text (placeholder) displayed inside the empty field before input begins.
`autocomplete`	string	Controls browser autocomplete. For password change fields, autocomplete="new-password" is recommended so the browser offers to generate a new one instead of filling in the old one. To disable: off.
`readonly`	boolean	Read-only mode. The user sees the value but cannot change it. Values: true, false.
`disabled`	boolean	Makes the field disabled. The value is not sent to the server and is not saved. Values: true, false.
`class`	string	Additional CSS classes for field styling. For example, class="form-control input-xlarge".
`lock`	boolean	A Joomla admin form-specific attribute. If true, the field is locked, but an "Edit" button appears next to it to unlock it. Values: true, false.
`autofocus`	boolean	Automatically sets focus on the field after the page loads. Values: true, false.
`onchange`	string	Automatically sets focus on the field after the page loads. Values: true, false.
`spellcheck`	boolean	Enables or disables browser spell checking. For passwords, false is recommended. Values: true, false.
`pattern`	string	Regular expression (Regex) for client-side password format validation (HTML5). For example, pattern=".{8,}" requires a minimum of 8 characters.
`title`	string	Hint text that appears when the pattern rule is violated. Useful for explaining password requirements.

Visual Examples

Below are screenshots showing how the field appears in different Joomla versions and admin panel themes.

Joomla 3 Isis

Classic field appearance in the Isis template.

Joomla 4 / 5 / 6 Cassiopeia (Light)

Modern Cassiopeia design. Light theme.

Joomla 4 / 5 / 6 Cassiopeia (Dark)

Visual appearance of the Password field in Joomla 4/5/6 – Cassiopeia admin template (dark theme)

Admin dark theme. High-contrast text and dark background.

XML Usage Example

Add this code inside your XML manifest form. The type="password" attribute instructs the browser to mask entered characters, and in Joomla 4+ it automatically activates the built-in password complexity check.

<field 
    name="my_password"
    type="password" 
    label="Password"
    description="Enter your password" />

Retrieving Value in PHP

The field value is retrieved via the JInput object. The examples below demonstrate syntax differences for Joomla 3.x and J4/J5/J6. For correct password handling, the string filter is used, allowing special characters without the risk of control character injection.

// --- OPTION FOR JOOMLA 4 / 5 / 6 (Modern) ---
use JoomlaCMSFactory;

// Get the input object via Factory
$input = Factory::getApplication()->input;

// getString() cleans input from control characters but preserves password special characters (!@#$%)
$myPassword = $input->getString('my_password_field', '');


// --- OPTION FOR JOOMLA 3.x (Legacy) ---
// In J3, JFactory was used
$input = JFactory::getApplication()->input;
$myPassword = $input->get('my_password_field', '', 'string'); 

// OR the old way (not recommended for new code):
// $myPassword = JRequest::getVar('my_password_field', '', 'post', 'string');


// --- IMPORTANT NOTE ---
// The $myPassword variable now contains the "raw" password entered by the user.

// 1. Never output this value to the screen (echo, print_r), even in debug mode.
// 2. Use this variable only for comparison (password_verify)
//    or passing to secure authentication methods.

The retrieved variable contains the "raw" value entered by the user. Use it only for secure verification (e.g., hash comparison) or passing to protected APIs. It is strictly recommended not to output this value to log files, JSON responses, or the screen, even in debug mode.

Tip: If you are using this field for API keys or tokens that need to be stored in plain text (for later use in requests), ensure your extension encrypts this data before writing it to the database or configuration file. The standard password field does not provide encryption upon saving—it only masks characters during visual input.

Common Pitfalls

Plain Text Storage: The type="password" field masks input only in the browser. If you save the received value directly to the database or params.ini without prior hashing or encryption, the password will be accessible to anyone with access to the site's files or database.
Value Loss on Validation Error: In Joomla 4/5/6, for security reasons, the password field is not automatically repopulated with the previous value if the form fails validation (e.g., the user forgot to fill in another required field). The user will have to re-enter the password. This is standard HTML5 and Joomla behavior, not an error.
Validation Differences Between J3 and J4+: In Joomla 3.x, the validate="password" attribute often required a separate JS script or plugin for complexity checks. In Joomla 4/5/6, validation and the Strength Meter are built into the core and work automatically if the password policy is enabled. Legacy J3 validation scripts may conflict with new web components.
Browser Autocomplete: Browsers may ignore masking or suggest saving the password even in the administrative area. For fields containing API keys or tokens, it is recommended to use the autocomplete="off" or autocomplete="new-password" attribute to prevent the accidental substitution of the user's personal passwords for service keys.
Case Sensitivity and Spaces: The string filter (used by default when retrieving via $input->getString()) may trim leading and trailing spaces. If your service requires an exact match including spaces within the password, ensure they are not lost during processing, although most security standards recommend disallowing leading and trailing spaces.