Re: Security Evaluation Request

On Fri, Apr 8, 2016 at 1:37 PM, Tanvi Vyas <> wrote:

> Websites may have a reason for using type="text" instead of
> type="password" on a password field.  Perhaps they don't want Password
> Managers to save the user's password[1].  Or perhaps they are trying to
> avoid browser warnings about unencrypted HTTP pages requesting password
> information[2].  Or something else?
> If we create role="password", browsers and password managers will adapt to
> treating role="password" the same way as they treat type="password".  Then
> the same websites that purposely avoid type="password" will start avoiding
> role="password".
> ~Tanvi
> [1] I am unclear on why some sites wouldn't want their users to have the
> benefits of a Password Manager.  The only mildly plausible reason I've
> heard before is that such websites are worried they will not meet PCI
> compliance if passwords are stored in cleartext.  This should be true when
> we are talking about passwords on the site's servers, but PCI compliance
> shouldn't be effected by users who choose to store their password on their
> own machines.

Back in the "identity on the web" w3c workshop in 2010 we talked about this
a bit. There were at least a couple reasons given.

Perhaps the main one was that sites were worried that password managers
would not only save the password but autocomplete it, and that would make
it too
easy for the password to be phished or for someone to walk up to your
computer and conduct a transition.

A variant on this was simply that bank passwords were "too sensitive to
store in a password manager".

At the time, I don't think there was quite as much trust established in
password managers, nor was there so much of a consensus that password
managers + hard-to-guess / auto-generated passwords are the way to go.

This was also before browsers started ignoring the autocomplete=off

-- Dirk

Received on Friday, 8 April 2016 20:55:23 UTC