- From: Adam Hart <adam.hart@forgeaero.com>
- Date: Fri, 8 Apr 2016 11:02:03 -0600
- To: Richard Schwerdtfeger <richschwer@gmail.com>
- Cc: Gervase Markham <gerv@mozilla.org>, Virginie.Galindo@gemalto.com, public-web-security@w3.org, ARIA <public-aria@w3.org>, Mike Cooper <cooper@w3.org>
For cases of a "show password" button, it's common to have a bit of js to toggle input type from "password" to "text". Ideally there would be some more js to ensure the type always returns to "password" before form submittal. An ARIA role="password" could make navigating that form less confusing if users happen to toggle the password visibility, and consistently lets them know it's a password field. On the other hand, if the screen reader makes no distinction between type="text" and type="password", users could be put under the false assumption that the password is obscured from the view of people around them, when it's actually clearly visible. > On Apr 8, 2016, at 10:22 AM, Richard Schwerdtfeger <richschwer@gmail.com> wrote: > > >> On Apr 8, 2016, at 8:38 AM, Gervase Markham <gerv@mozilla.org> wrote: >> >> On 06/04/16 21:27, Rich Schwerdtfeger wrote: >>> ARIA is not meant to be the web police. The reality is that people are >>> doing this in the wild and if you are interacting with one of these >>> things and you can’t see the screen you want to know what the intent of >>> the author is. >> >> So the target of this feature is people who care enough about web >> accessibility to include ARIA roles, but not enough to use semantic markup? >> > > Companies are required to support accessibility to sell to government agencies, educational institutions, etc. world wide. > > Companies do not use standard HTML markup when they feel it does not meet their needs. It really does not have anything to do with whether the markup is semantically correct. This is happening now and we don’t even have a password role. Companies that must do this for business reasons need a way to make it accessible. > >>> So, we agree that people should not do this but if a user encounters it >>> they need to know what it is for. Does adding the role attribute with a >>> value of “password" create a security problem that was not there before? >> >> Well, it encourages people to use non-password fields for passwords, >> which is arguably a security problem because if people's password >> managers don't save the passwords, they are more likely to use bad >> (simple, short) passwords. > > The bigger issue is that passwords as a technology have long outlived their usefulness. The growing world aging population has issues remembering passwords for all the sites they have to gain access to so they often use a simple, short, easy to remember password across all the sites creating a security issue. To this end even HTML’s password is a security risk as it is much easier to hack. This can result in identity theft and a whole litany of issues. Captchas are also a huge problem for aging users. > > The web community needs to fix this bigger issue. > > >> >> Gerv >> > >
Received on Sunday, 10 April 2016 20:55:57 UTC