W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure

From: Jim Manico <jim.manico@owasp.org>
Date: Sat, 3 Jan 2015 10:52:05 -1000
Message-ID: <-8413685738333889454@unknownmsgid>
To: ianG <iang@iang.org>
Cc: Craig Francis <craig.francis@gmail.com>, blink-dev <blink-dev@chromium.org>, Jiri Danek <softwaredevjirka@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>, "mozilla-dev-security@lists.mozilla.org" <mozilla-dev-security@lists.mozilla.org>
> Only mild comment I'd make is that the whole '****' thing is soooo 1980s.  I'm specifically talking about university terminal labs, where students would shoulder surf to steal accounts.  These days, people want (need) to see the passwords in clear on the screen because they are so bloody difficult to type because they have to read an 8 hieroglyph masterpiece out of a paper or phone record to keep them secure.

IE addresses this well. Password fields default to not displaying
entered text, but users can click to make that field visible again.
This is an example of tiny decrease in security for a major increase
in usability.

--
Jim Manico
@Manicode
(808) 652-3805
--
Jim Manico
@Manicode
(808) 652-3805


> Only mild comment I'd make is that the whole '****' thing is soooo 1980s.  I'm specifically talking about university terminal labs, where students would shoulder surf to steal accounts.  These days, people want (need) to see the passwords in clear on the screen because they are so bloody difficult to type because they have to read an 8 hieroglyph masterpiece out of a paper or phone record to keep them secure.
Received on Saturday, 3 January 2015 20:52:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC