Re: Risks the password role does create

Hi Jason,

I think that you may have an idea there, although after spending a bit more
time with this, I'm now freaked to report how truly insecure type=password
is as well.

3 minutes on Google, and a few minor edits to an existing example I found
illustrates how woefully insecure that input type actually is: a single
line of javascript can extract the obfuscated characters from *any* input
and echo them back into a second form input as clear text. Make that input
hidden using aria-hidden=true, and I can watch Jason enter all of his
passwords without him even being aware that I can see the values on screen.

That Jason is my larger concern. Initially I was envisioning this kind of
snooping on alternative input types "tagged" with the password role, but it
seems that the security issue is bigger than that even. Scary, scandalous
big.

See here: http://jsfiddle.net/rtyre3ay/3/

Rich has suggested that APA file a comment against HTML5.1, and I fully
agree.

JF

On Wed, Jun 22, 2016 at 2:10 PM, White, Jason J <jjwhite@ets.org> wrote:

>
>
>
>
> *From:* Richard Schwerdtfeger [mailto:richschwer@gmail.com]
> *Sent:* Wednesday, June 22, 2016 3:06 PM
>
>
>
> I don’t think anyone disagrees that the world would benefit from an
> alternative to passwords for secure logins.
>
>
>
> *[Jason] And anyone involved in the APA working group who would like the
> Research Questions Task Force to investigate how this could be achieved in
> an accessible manner (it’s already flagged as a potential topic) should
> make this priority known in APA discussions regarding issues to be taken up
> by the Task Force.*
>
> ------------------------------
>
> This e-mail and any files transmitted with it may contain privileged or
> confidential information. It is solely for use by the individual for whom
> it is intended, even if addressed incorrectly. If you received this e-mail
> in error, please notify the sender; do not disclose, copy, distribute, or
> take any action in reliance on the contents of this information; and delete
> it from your system. Any other use of this e-mail is prohibited.
>
> Thank you for your compliance.
> ------------------------------
>



-- 
John Foliot
Principal Accessibility Strategist
Deque Systems Inc.
john.foliot@deque.com

Advancing the mission of digital accessibility and inclusion

Received on Wednesday, 22 June 2016 20:00:39 UTC