W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Password managers ignoring autocomplete='off' harming security

From: Dan Poltawski <dan@moodle.com>
Date: Thu, 2 Oct 2014 00:11:40 +0100
Message-ID: <CADwQr5G+qOtzoFtdpNXyUBqbRhYfwNuSx1JheggABQyjouNN1g@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WHATWG <whatwg@lists.whatwg.org>
On 1 October 2014 22:30, Anne van Kesteren <annevk@annevk.nl> wrote:
> Could you explain the situation in a bit more detail? Is the problem
> that multiple users are behind the same computer? As it seems someone
> is more likely to get my password by "shoulder surfing" if I type it
> in while they watch vs my password manager filling it automatically.

No, different computers. Our software (Moodle), is a learning
management system used in teaching environments.

Throughout the software there are fields which a teacher would not
want every student to see, say  they needed to change something
quickly in the settings whilst projecting in a lecture hall. For those
fields we have a password field.

The data in those fields are stored in plain text and shared between
multiple teachers (multiple accounts), so when another teacher comes
along - they could access it. There is a scale of severity of the data
in there - from real passwords to external systems to a shared
'enrolment key' which is a passphrase which might be shared with some
students but not others.

Here is an example from a bug report we got:

"1. Firefox "accidentally" filled in the enrolment key field with some
personal information. The teacher didn't know because it just filled
with stars
2. They saved it
3. Another teacher came along and hit 'unmask' and their personal
information was revealed"
Received on Wednesday, 1 October 2014 23:12:26 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC