W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Password managers ignoring autocomplete='off' harming security

From: Dan Poltawski <dan@moodle.com>
Date: Thu, 2 Oct 2014 00:39:51 +0100
Message-ID: <CADwQr5HNhU+50M-=JiWp7v8Ex2fFGO9HELjq6rNhKk=0PH4bOA@mail.gmail.com>
To: Peter Kasting <pkasting@google.com>
Cc: Dan Poltawski <dan@moodle.com>, WHATWG <whatwg@lists.whatwg.org>
On 2 October 2014 00:17, Peter Kasting <pkasting@google.com> wrote:
> So, you're doing both of the following?
> * Using a password field for (sometimes) things that aren't passwords

Right. Though it could be 'sensitive information' and needs obscuring,
so 'A text field that obscures data entry' seems like the correct
element to use.

> * Storing (potentially) sensitive data in the clear yourself, and sending it
> (again, in the clear) to other accounts/machines

The premise of this suggests that this sensitive data belongs only to
the user in question, where as its actually shared sensitive data,
both users need to access it.

> Unless I'm misunderstanding your description of your application, these
> sound like undesirable practices, which are themselves at the root of your
> users' lack of security, and the browsers' behaviors are merely illustrating
> this?

I am intentionally not going into the intricacies of our situation,
but I think its still a common reality that when integrating with
other systems you often have to have shared secret data.

Dan
Received on Wednesday, 1 October 2014 23:40:37 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC