Differentiating problems the password role creates, from ones it just doesn't solve from Michael Cooper on 2016-06-22 (public-aria@w3.org from June 2016)

From: Michael Cooper <cooper@w3.org>
Date: Wed, 22 Jun 2016 11:16:38 -0400
To: ARIA <public-aria@w3.org>
Message-ID: <e2f299e0-3d4a-db64-bbfc-84bfe8e31cb1@w3.org>

I'll start a new thread because I can't figure a good point to jump in 
the current thread 
<https://lists.w3.org/Archives/Public/public-aria/2016Jun/thread.html#msg110> 
on password on this topic.

Many of the concerns people are expressing about the password role seem 
to be about problems with custom passwords in general - regardless of 
whether the ARIA password role were to be used. This include (probably 
incomplete list):

  * Lack of input masking
  * Ability to copy passwords
  * AT don't know it's a password
  * Inability to use password managers

We should be clear that these are not problems that would be introduced 
by the ARIA password role. These are problems that would exist anyways 
if authors are creating custom passwords.

Issues that are not the "fault" of the password shouldn't be part of our 
decision on it, because those problems will exist whether or not we 
introduce the password role. Some of those issues could be ameliorated 
by the role, such as ability to use password managers if they choose to 
support it, or special AT handling if they choose to support it. But 
even if tools don't support the role, those underlying issues with 
custom passwords would be no worse because of the role - they are simply 
problems with using custom passwords.

A few months ago I took a stab at slicing and dicing the password role 
<https://lists.w3.org/Archives/Public/public-aria/2016Mar/0231.html>. I 
tried to analyze risks to providing the role, and risks to not providing 
it. Risks that are not caused by the role aren't part of that analysis 
and we should just focus on the ones that are caused by the role, and 
compare them to risks of not making it available given the risks already 
present with custom passwords. Some of the cost / benefit analysis 
depends on whether authors are in fact using custom passwords and 
bringing about those risks - the degree of that issue is something we 
don't have a common viewpoint on yet. I hope we can get more information 
on that question, and then continue the discussion focused on the issues 
specific to the role itself.

Michael

Received on Wednesday, 22 June 2016 15:16:32 UTC