Objection to password role from Michiel Bijl on 2016-06-17 (public-aria@w3.org from June 2016)

From: Michiel Bijl <michiel@agosto.nl>
Date: Fri, 17 Jun 2016 12:10:04 +0200
To: ARIA Working Group <public-aria@w3.org>
Message-Id: <99B0CA87-6168-45A0-965C-EE36D41AA51C@agosto.nl>

All,

A lot has been said about the password role. Security problems, lack of good use cases, and difficulties for users. Despite all that, it seems it will still get into the final specification. I would like to quote the ‘Priority of Constituencies <https://www.w3.org/TR/html-design-principles/#priority-of-constituencies>’ (thank you Jonathan Kingston for reminding me <https://jotter.jonathankingston.co.uk/blog/2016/05/16/role-password-is-not-wise/>):

> In case of conflict, consider users over authors over implementors over specifiers over theoretical purity.

How is adding a role—where one of the use cases is preventing the use of password managers—helping the users? How does that adhere to the priority of constituencies?

To give some background to this e-mail, I’ve looked up some discussions on the list:

James Craig opposing this on potential security implications <https://lists.w3.org/Archives/Public/public-aria/2016Jan/0064.html>
Léonie Watson expressing concerns about character obfuscation <https://lists.w3.org/Archives/Public/public-aria/2016Jan/0065.html>
Birkir Gunnarsson stating we are reinventing the wheel <https://lists.w3.org/Archives/Public/public-aria/2016Jan/0066.html> (and suggesting we might be better of with an aria-secure attribute)
Brad Hill on security risks and website identify verification <https://lists.w3.org/Archives/Public/public-aria/2016May/0009.html>
Léonie Watson expressing concerns about AT’s announcing “custom password” <https://lists.w3.org/Archives/Public/public-aria/2016May/0001.html>
John Foliot expressing concerns in general about the password role <https://lists.w3.org/Archives/Public/public-aria/2016May/0004.html>
Me asking for an update on contact with the Security & Privacy IG (no reply) <https://github.com/w3c/aria/issues/166#issuecomment-176638972>

Some more background links:

Original post to list by Joanie <https://lists.w3.org/Archives/Public/public-aria/2016Jan/0053.html>
Issue on W3C tracker <http://www.w3.org/WAI/ARIA/track/issues/1005>
Security check by Microsoft <http://www.w3.org/WAI/ARIA/track/actions/2020> (W3C tracker issue)
Jonathan Kingston’s excellent piece on the password role <https://jotter.jonathankingston.co.uk/blog/2016/05/16/role-password-is-not-wise/>
Marco Zehe agreeing with Jonathan’s article on Twitter <https://twitter.com/MarcoInEnglish/status/743680877444497408>


I’ve reread large parts of the threads, and don’t see any good reason to implement this. There don’t seem to be a lot of people in favour of this role. There are however a lot of people raising concerns. There hasn’t been a formal review by any of the security working groups as far as I can tell.

So why is this role being pushed so hard despite all the concerns raised?

—Michiel

Received on Friday, 17 June 2016 10:10:34 UTC