- From: James Graham <jg307@cam.ac.uk>
- Date: Tue, 29 Mar 2005 12:23:33 +0100
Mikko Rantalainen wrote: > James Graham wrote: > >> Mikko Rantalainen wrote: >> >>> My bank uses one-shot passwords for web access >> >> >> Which seems to be an ideal use-case for the autocomplete attribute... > > > But in this case, the autocomplete isn't a *security* feature (though > my point is, it should never be considered a security feature). > Instead, it's an enchancement (UA will not store or incorrectly > suggest old value as valid input) and it should make no difference to > bank if UA supports that feature or not. True. But it is a much better use case than the one that is currently in the spec. Ian, can we change the use case to mention some sort of one-time password rather than the contrived nuclear weapon example? It might even encourage people to implement something actually secure rather than just a set of fixed passwords... In general I don't see the problem with autocomplete='off'. It does offer some security. Not very strong but at least as useful as hiding passwords as *** - a feature which has the same detrimental effect on usability that autocomplete=off has, is equally useless in the face of a sutiably determined attacker and yet one which few people wish to disable. > WF2 shouldn't require UAs to support this feature. Just a note that > some institutions insanely want this feature is enough. As Anne points out, WF2 uses "should", not "must", so it's not required for conformance. In effect the spec reads "you can not support this feature, as long as you don't mind banks not supporting your browser. It won't make you WF2 non compliant but since you're unlikely to have any market share, that's not your biggest problem". -- "But if science you say still sounds too deep, Just do what Beaker does, just shrug and 'Meep!'" -- Dr. Bunsen Honeydew & Beaker of Muppet Labs
Received on Tuesday, 29 March 2005 03:23:33 UTC