HTML 5.1 input type="password" is not sufficiently secure in browsers.

The ARIA review of the password role has uncovered a security hole in some browsers that provide for an object viewer that can show the value of the password field event though it is obvuscated or “masked.” This allows for a person to open up the browser on someone’s machine, go to a site, have the password automatically filled, and then use the object inspector to view the value of the password. Mozilla, was one browser that is doing this. 

It MUST be a failure in the implementation of HTML 5.1 to allow this - including earlier versions of HTML. I don’t know how many browsers do this. 

Rich

Received on Wednesday, 22 June 2016 18:03:03 UTC