The $password
widget doesn’t use cookies. Rather, it uses your browser’s “local storage” to hold the password input as an unencrypted value. For security reasons, the only way to retrieve this value is via a TWCore javascript function, $tw.utils.getPassword
.
The TWCore “upload saver” (see $:/core/modules/savers/upload.js) that is used by the “TiddlySpot” saver (which is compatible with BidiX’s server-side store.php handler) contains this line of code:
password = $tw.utils.getPassword("upload")
Of course, it would be relatively simple to write a javascript macro to fetch this value so it could be accessible to a $reveal widget or $list filter. Normally, I would just post the javascript macro code to show how to do this. However, such code would also open a big hole in the TWCore “password vault”, exposing all unencrypted passwords for potential “harvesting” by unvetted 3rd-party wikitext code.