Re: [whatwg] Password managers ignoring autocomplete='off' harming security

On Wed, Oct 1, 2014 at 4:11 PM, Dan Poltawski <dan@moodle.com> wrote:

> The data in those fields are stored in plain text and shared between
> multiple teachers (multiple accounts), so when another teacher comes
> along - they could access it. There is a scale of severity of the data
> in there - from real passwords to external systems to a shared
> 'enrolment key' which is a passphrase which might be shared with some
> students but not others.


So, you're doing both of the following?
* Using a password field for (sometimes) things that aren't passwords
* Storing (potentially) sensitive data in the clear yourself, and sending
it (again, in the clear) to other accounts/machines

Unless I'm misunderstanding your description of your application, these
sound like undesirable practices, which are themselves at the root of your
users' lack of security, and the browsers' behaviors are merely
illustrating this?

PK

Received on Wednesday, 1 October 2014 23:18:00 UTC