- From: Michael Cooper <cooper@w3.org>
- Date: Wed, 22 Jun 2016 14:33:33 -0400
- To: ARIA <public-aria@w3.org>
I'm replying to my own message so I can separate opinion from analysis. Below is my own opinion on the risks created by the password role. On 22/06/2016 1:20 PM, Michael Cooper wrote: > The presence of the role makes it easier for bots to discover custom > password fields and exploit such unsecured fields. This one seems like a real risk. On the other hand I wonder how big it is. Quite likely, custom password fields could already be detected much of the time, since they are likely to have a label of "password" or something. Rich has also expressed doubt that the scammers will target such a small user community. I can't say there is no risk here, and want to weigh it against potential benefits, but I'm not sure this risk has great weight. > The availability of the role may encourage authors to use custom > password fields with the risks those bring. I doubt this is a likely scenario. It's hard to imagine authors will choose to use custom password fields because the password role exists, and that those same authors would choose not to use custom password fields if the role did not exist. It's not an "if we build it they will come" situation. Rather, it's a way to provide the possibility, even if not the guarantee, for user agent support and protections if authors have already decided to create a custom password field. Michael
Received on Wednesday, 22 June 2016 18:33:26 UTC