It is possible to hide the Password field on a phishing landing page, as long as it remains within the form, since it is mandatory for the correct recording of statistics.
Why is the Password field mandatory?
In phishing simulations:
- The Password field is necessary to register the data entry
- It allows activating the Teachable Moment (if configured)
- It enables the execution of the redirect URL
If this field is not present:
- The data entry action will not be recorded
- Configured actions will not execute correctly
Base structure of the form
The form must include, at minimum, the following structure:
<form action="$phishing_landing_action_url" method="POST">
<span style="display: none;">$csrf_token</span>
User: <input type="text" name="user" autocomplete="off" />
Password: <input dont_allow_password_entry="" type="password" name="password" autocomplete="off" />
<input type="submit" value="Log In" />
</form>
How to hide the Password field?
If you want to use only the user field, it is possible to hide the Password field without deleting it.
To do this, you can modify the field as follows:
<input dont_allow_password_entry="" type="password" name="password" autocomplete="off" value="value" style="visibility: hidden">
In this way:
- The field still exists in the form
- The platform can correctly register the action
- The user will not see the field
Considerations
- The field must not be deleted, only hidden
- The attributes name="password" must remain unchanged
- The form must respect the base structure
💡 Best practices
- Use the standard form structure
- Hide the field only when necessary
- Validate behavior before launching the campaign
- Avoid modifying key form attributes