- From: John Foliot <john.foliot@deque.com>
- Date: Wed, 22 Jun 2016 15:00:07 -0500
- To: "White, Jason J" <jjwhite@ets.org>
- Cc: Richard Schwerdtfeger <richschwer@gmail.com>, Mike Cooper <cooper@w3.org>, ARIA <public-aria@w3.org>
- Message-ID: <CAKdCpxy-FHSmjbdjuh9apjj3e3cszecTa6KHv_u6ObXXCZ=JtA@mail.gmail.com>
Hi Jason, I think that you may have an idea there, although after spending a bit more time with this, I'm now freaked to report how truly insecure type=password is as well. 3 minutes on Google, and a few minor edits to an existing example I found illustrates how woefully insecure that input type actually is: a single line of javascript can extract the obfuscated characters from *any* input and echo them back into a second form input as clear text. Make that input hidden using aria-hidden=true, and I can watch Jason enter all of his passwords without him even being aware that I can see the values on screen. That Jason is my larger concern. Initially I was envisioning this kind of snooping on alternative input types "tagged" with the password role, but it seems that the security issue is bigger than that even. Scary, scandalous big. See here: http://jsfiddle.net/rtyre3ay/3/ Rich has suggested that APA file a comment against HTML5.1, and I fully agree. JF On Wed, Jun 22, 2016 at 2:10 PM, White, Jason J <jjwhite@ets.org> wrote: > > > > > *From:* Richard Schwerdtfeger [mailto:richschwer@gmail.com] > *Sent:* Wednesday, June 22, 2016 3:06 PM > > > > I don’t think anyone disagrees that the world would benefit from an > alternative to passwords for secure logins. > > > > *[Jason] And anyone involved in the APA working group who would like the > Research Questions Task Force to investigate how this could be achieved in > an accessible manner (it’s already flagged as a potential topic) should > make this priority known in APA discussions regarding issues to be taken up > by the Task Force.* > > ------------------------------ > > This e-mail and any files transmitted with it may contain privileged or > confidential information. It is solely for use by the individual for whom > it is intended, even if addressed incorrectly. If you received this e-mail > in error, please notify the sender; do not disclose, copy, distribute, or > take any action in reliance on the contents of this information; and delete > it from your system. Any other use of this e-mail is prohibited. > > Thank you for your compliance. > ------------------------------ > -- John Foliot Principal Accessibility Strategist Deque Systems Inc. john.foliot@deque.com Advancing the mission of digital accessibility and inclusion
Received on Wednesday, 22 June 2016 20:00:39 UTC