- From: Ed Davies <edavies@nildram.co.uk>
- Date: Sat, 06 Jan 2007 15:42:24 +0000
- To: www-tag@w3.org, Ed.Rice@hp.com
The current version (*) of: http://www.w3.org/2001/tag/doc/passwordsInTheClear-52.html section 3, says: > It is the TAG's opinion that if a form field is a password, > password masking MUST take place to protect the user from > onlookers seeing what is being entered and stop anyone from > later using the 'back' button to discover passwords. and indicates a Good Practice: > User agents MUST use password masking when passwords are > displayed in an HTML form. I think the combination of "It is the TAG's opinion that..." and "MUST" is a bit of an odd mixture. More substantially, PDAs which use handwriting recognition are good examples of devices where password masking is not a good strategy. Handwriting recognition is sufficiently unreliable that the user will want to see the characters entered to make sure they are correct. At the same time, with such devices it is easy to orientate the screen to avoid shoulder surfing. Avoiding revelation of the password with the back button would, however, be an issue on PDAs. Ed Davies. * The document doesn't link a permanent URL for its current version. The "Previous version:" link is labelled with what is presumably the current version but actually links to the previous version.
Received on Saturday, 6 January 2007 15:42:43 UTC