W3C home > Mailing lists > Public > public-apa@w3.org > June 2016

HTML 5.1 input type="password" is not sufficiently secure in browsers.

From: Richard Schwerdtfeger <richschwer@gmail.com>
Date: Wed, 22 Jun 2016 13:02:30 -0500
Message-Id: <71C675B5-C595-4713-955A-2990C54D9639@gmail.com>
To: public-apa@w3.org
The ARIA review of the password role has uncovered a security hole in some browsers that provide for an object viewer that can show the value of the password field event though it is obvuscated or “masked.” This allows for a person to open up the browser on someone’s machine, go to a site, have the password automatically filled, and then use the object inspector to view the value of the password. Mozilla, was one browser that is doing this. 

It MUST be a failure in the implementation of HTML 5.1 to allow this - including earlier versions of HTML. I don’t know how many browsers do this. 

Received on Wednesday, 22 June 2016 18:03:03 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 22 June 2016 18:03:03 UTC