W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Password managers ignoring autocomplete='off' harming security

From: Peter Kasting <pkasting@google.com>
Date: Wed, 1 Oct 2014 16:17:34 -0700
Message-ID: <CAAHOzFDDEqfWfYXe5oTiZqJPD99=pK3eFXKKBNmHhbra=LOWvg@mail.gmail.com>
To: Dan Poltawski <dan@moodle.com>
Cc: WHATWG <whatwg@lists.whatwg.org>
On Wed, Oct 1, 2014 at 4:11 PM, Dan Poltawski <dan@moodle.com> wrote:

> The data in those fields are stored in plain text and shared between
> multiple teachers (multiple accounts), so when another teacher comes
> along - they could access it. There is a scale of severity of the data
> in there - from real passwords to external systems to a shared
> 'enrolment key' which is a passphrase which might be shared with some
> students but not others.


So, you're doing both of the following?
* Using a password field for (sometimes) things that aren't passwords
* Storing (potentially) sensitive data in the clear yourself, and sending
it (again, in the clear) to other accounts/machines

Unless I'm misunderstanding your description of your application, these
sound like undesirable practices, which are themselves at the root of your
users' lack of security, and the browsers' behaviors are merely
illustrating this?

PK
Received on Wednesday, 1 October 2014 23:18:00 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC