- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 1 Oct 2014 23:30:42 +0200
- To: Dan Poltawski <dan@moodle.com>
- Cc: WHATWG <whatwg@lists.whatwg.org>
On Wed, Oct 1, 2014 at 9:19 PM, Dan Poltawski <dan@moodle.com> wrote: > To outline the situation in broad terms: > * We have shared secrets on the page which we protect against shoulder > surfing by using the password element with autocomplete="off" > * The password managers are now all auto-filling these fields with > passwords on the same domain and in many cases without the user even > noticing (optional fields they wouldn't look at) > * The passwords then get stored in our shared-secret fields clear text > and available to all their peers > * This can then be used for privilege escalation etc Could you explain the situation in a bit more detail? Is the problem that multiple users are behind the same computer? As it seems someone is more likely to get my password by "shoulder surfing" if I type it in while they watch vs my password manager filling it automatically. -- https://annevankesteren.nl/
Received on Wednesday, 1 October 2014 21:31:11 UTC