Re: Security Evaluation Request

On Fri, 08 Apr 2016 19:15:54 +0200, Joseph Scheuhammer  
<> wrote:

> On 2016-04-08 12:22 PM, Richard Schwerdtfeger wrote:
>> Companies do not use standard HTML markup when they feel it does not  
>> meet their needs.

Sure. The question is whether the needs that they perceive match those  
that should be met, or are in fact destructive.

If the needs they perceive lead them in the direction of doing something  
destructive, e.g. breaking accessibility, then we should try to find a  
solution that enables them to achieve their goals, but enhances  
accessibility - and is an easier way to do what they are trying to do.

Hence my earlier question about the use cases. What are the needs that  
people think justify not using a "real" password field?

> Prior to the introduction of the password <input> type, there were
> password forms on the web, presumably based on type="text".  I assume
> companies did something to address security issues, such as using script
> to obscure the password text, and using https to transmit it.  I don't
> know if one could hook into a password manager back then, but I wouldn't
> be surprised if efforts were made to do so.

The input element had password types from the beginning. People generally  
used server-side authentication in the olden days, based on standards that  
didn't allow customisation. Client-side technology wasn't really up to  
tricks like obscuring input via isindex until forms were reasonably common.

Prior to, and long after, the introduction of the password input, major  
companies transmitted passwords in the clear - some multinational  
household names *still* do so today, exposing users to significant risk of  
theft, at least.



Charles McCathie Nevile - web standards - CTO Office, Yandex - - - Find more at

Received on Friday, 8 April 2016 21:16:31 UTC