W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Password managers ignoring autocomplete='off' harming security

From: Gavin Sharp <gavin@gavinsharp.com>
Date: Wed, 1 Oct 2014 16:34:19 -0700
Message-ID: <CAHBT5m3Ggbsbqcu4gJBKQ6otOXBAYXLNW62oXpH7MfFzb7zc4Q@mail.gmail.com>
To: Peter Kasting <pkasting@google.com>
Cc: Dan Poltawski <dan@moodle.com>, WHATWG <whatwg@lists.whatwg.org>
On Wed, Oct 1, 2014 at 4:17 PM, Peter Kasting <pkasting@google.com> wrote:
> So, you're doing both of the following?
> * Using a password field for (sometimes) things that aren't passwords
> * Storing (potentially) sensitive data in the clear yourself, and sending
> it (again, in the clear) to other accounts/machines

I probably shouldn't speak for Dan, but I think you're
misunderstanding the use case here (particularly with characterization
#2). The data being intentionally stored in these fields is not
"sensitive", in the sense that it can't be shared in the clear to
other users (teachers), it just needs to not be displayed on the
screen (where it can be viewed by students).

That browsers now automatically go fill in sensitive data (passwords)
into these password fields is the issue, because people might not
notice that happening and then submit the form.

Gavin
Received on Wednesday, 1 October 2014 23:34:51 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC