Re: Security Evaluation Request from Richard Schwerdtfeger on 2016-04-08 (public-aria@w3.org from April 2016)

From: Richard Schwerdtfeger <richschwer@gmail.com>
Date: Fri, 8 Apr 2016 11:43:57 -0500
To: James Nurthen <james.nurthen@oracle.com>
Cc: public-aria@w3.org
Message-Id: <B3041950-5F08-4E4B-9985-61C986A209F4@gmail.com>

You cannot make an accessible password field in SVG without it.  

> On Apr 8, 2016, at 11:40 AM, James Nurthen <james.nurthen@oracle.com> wrote:
> 
> 
> 
> On 4/8/2016 9:37 AM, Gervase Markham wrote:
>> On 08/04/16 17:22, Richard Schwerdtfeger wrote:
>>> Companies do not use standard HTML markup when they feel it does not
>>> meet their needs. It really does not have anything to do with whether
>>> the markup is semantically correct. This is happening now and we
>>> don’t even have a password role. Companies that must do this for
>>> business reasons need a way to make it accessible.
>> They have a way to make it accessible - use a proper password field. So
>> what you are asking for is actually a second way to make it accessible.
>> What happens if some company then comes forward and says they can't use
>> your solution because for security reasons they aren't allowed to label
>> the field "password" in any way. What do you do then? Invent an alias
>> and call it "type='mrblobby'"?
>> 
>> There is only a certain distance one should go to accommodate ridiculous
>> corporate requests. "We want to do passwords but don't want to use
>> password fields" is a user-hostile request (both for users requiring
>> accessibility technology and other users) and should be treated as such.
> How can someone create a password field in SVG without this?
> 
> Regards,
> James
> 
>> 
>>> The bigger issue is that passwords as a technology have long outlived
>>> their usefulness. The growing world aging population has issues
>>> remembering passwords for all the sites they have to gain access to
>>> so they often use a simple, short, easy to remember password across
>>> all the sites creating a security issue. To this end even HTML’s
>>> password is a security risk as it is much easier to hack. This can
>>> result in identity theft and a whole litany of issues. Captchas are
>>> also a huge problem for aging users.
>> This may be so; but encouraging people to use non-password fields for
>> passwords and so avoiding all the software people are using to help them
>> manage the password problem (which does make things better) doesn't help.
>> 
>> Gerv
>> 
> 
> -- 
> Regards, James
> <oracle_sig_logo.gif> <http://www.oracle.com/>
> James Nurthen | Principal Engineer, Accessibility
> Phone: +1 650 506 6781 <tel:+1%20650%20506%206781> | Mobile: +1 415 987 1918 <tel:+1%20415%20987%201918> | Video:  <sip:james.nurthen@oracle.com>james.nurthen@oracle.com <mailto:james.nurthen@oracle.com> 
> Oracle Corporate Architecture
> 500 Oracle Parkway | Redwood Cty, CA 94065 
> <green-for-email-sig_0.gif> <http://www.oracle.com/commitment> Oracle is committed to developing practices and products that help protect the environment
>

Received on Friday, 8 April 2016 16:44:27 UTC