Add word "icon"

Signed-off-by: David A. Wheeler <[email protected]>

Author: david-a-wheeler

secure_software_development_fundamentals.md

@@ -3627,7 +3627,7 @@ Avoid giving security or sensitive information to untrusted users. If a request
 
 * If your program requires some sort of user authentication (e.g., you are writing a network service or login program), give the user as little information as possible before they authenticate. In particular, avoid giving away the version number of your program before authentication. Otherwise, if a particular version of your program is found to have a vulnerability, then users who don’t upgrade from that version advertise to attackers that they are vulnerable.
 
-* If your program accepts a password, by default don’t show the full password while it's being entered. At most, show the most recently entered character. Showing the full password while it's entered may enable others to see the password. In HTML forms, set the input type to password, which intentionally limits the feedback. Many user interfaces allow users to select showing sensitive information by pressing an eye; that's fine, because the display is by specific user request instead of by default.
+* If your program accepts a password, by default don’t show the full password while it's being entered. At most, show the most recently entered character. Showing the full password while it's entered may enable others to see the password. In HTML forms, set the input type to password, which intentionally limits the feedback. Many user interfaces allow users to select showing sensitive information by pressing an eye icon; that's fine, because the display is by specific user request instead of by default.
 
 * On a failed login, just say “*username or password failed*” or similar - don’t expose whether it was the username or the password that failed. That could tell the attacker that the username is valid, and makes further attacks easier.