When I record the network tab in Chrome Developer Tools when logging in to my site I find that the username and password are stored in plaintext under form data.
You can also find it in Safari, Firefox and Opera too.
I tried logging in to various sites like Google, The Verge and Reddit and they all do the same thing as my site.
Is this something to worry about? Is it possible to prevent it?
The developer tools temporarily holds all the data both sent and received for a given page load. This includes everything: passwords, session keys, uploads, downloads. Everything. It also can capture Javascript activity, window draw events, and pretty much anything that is interesting or useful to developers.
If you're worried about it, this is trivial to prevent: don't open the developer tools.
If the tools aren't open during the actual request, then no data will be captured. Opening up the developer tools after the page is loaded gives you an empty trace and the warning, "No requests captured."
No it is not something to worry about.
The network tab does not store anything. It's literally showing you the data that you are sending out over the network. As you can see, the network connection to Google is secured with HTTPS, so anyone sniffing on the network will only see encrypted data.
It does allow some scary local hacking possibilities, though. Anyone in your household, or who has local access to your computer for ANY reason (perhaps someone at an airport gets you to let him check his email on your laptop), could easily open dev tools, undock the tool window and minimize/hide it, get or wait for you to login to some site, then make an excuse for needing to use the computer right after, at which point he,/she could quickly check the dev tools and grab your password, close devtools and continue onward...boom, password grabbed.
So keep an eye on untrustworthy locallers!
