Risks the password role does create from Michael Cooper on 2016-06-22 (public-aria@w3.org from June 2016)

From: Michael Cooper <cooper@w3.org>
Date: Wed, 22 Jun 2016 13:20:40 -0400
To: ARIA <public-aria@w3.org>
Message-ID: <9b872d0d-32d4-45c9-a2c4-f7c61706246b@w3.org>

In my previous message 
<https://lists.w3.org/Archives/Public/public-aria/2016Jun/0177.html> I 
tried to separate out the risks people were concerned about with the 
password role, that I think are not caused by the role itself. Here I 
want to identify the risks that *are* created by the role, so we can 
weigh those since they're the ones I argue are the only ones we should 
be considering for the role. So far, two concerns specific to the role 
stick out in my memory:

  * The presence of the role makes it easier for bots to discover custom
    password fields and exploit such unsecured fields.
  * The availability of the role may encourage authors to use custom
    password fields with the risks those bring.

Are there others I missed? That are caused by the password role itself, 
not by custom password fields in general.

Michael

Received on Wednesday, 22 June 2016 17:20:34 UTC