Re: [whatwg] Password managers ignoring autocomplete='off' harming security

On Wed, Oct 1, 2014 at 4:17 PM, Peter Kasting <pkasting@google.com> wrote:
> So, you're doing both of the following?
> * Using a password field for (sometimes) things that aren't passwords
> * Storing (potentially) sensitive data in the clear yourself, and sending
> it (again, in the clear) to other accounts/machines

I probably shouldn't speak for Dan, but I think you're
misunderstanding the use case here (particularly with characterization
#2). The data being intentionally stored in these fields is not
"sensitive", in the sense that it can't be shared in the clear to
other users (teachers), it just needs to not be displayed on the
screen (where it can be viewed by students).

That browsers now automatically go fill in sensitive data (passwords)
into these password fields is the issue, because people might not
notice that happening and then submit the form.

Gavin

Received on Wednesday, 1 October 2014 23:34:51 UTC