D3FO/AX 2012 Password field display control encryption explanation

I was in an internal meeting where new consultants were discussing functionality in the Dynamics 365 for Operations. One of the 'off the cuff' topics was that they were not sure why the password entered, which was three digits, looked like way more characters. Everyone in the room was assured that the password was saved correctly behind the scenes.

Its important to know why the system is functioning the way it is. Thought I share some info.

The reason why this is the case is that form object masks the password and encrypts it when its entered. The presentation of the field is a generic 'mask' as to not give any indication about what characters there are on the field.

Certain pieces of information can make things easier to hack such as:

• Number of characters
• Valid alpha-numeric characters
• Valid special characters
• Personal information about the user (birthday, street address, full name, pets, first date location, etc). 
• Does the person care about security (will have a bad password more than likely...)

To prevent giving any information on the password, its a best practice, which is reflected in the control, to provide as little data as possible to the end user. If the field masked only the characters which were entered, I would know exactly how many characters I need to guess. Now its like playing a more complicated version of Wheel of Fortune with no characters revealed.

Also, you can't just go into the AX DB and pull the data out. Its stored encrypted. Nice try.

Figure 1- Password entered before it is saved into the DB

Figure 2 - Password entered after it is saved into the DB (field is not showing anything about data)