> In the short term for the home user I sort of agree, but IMO the fact that > there has been no notification for the average user that something has > changed is wrong.
Don't disagree, but these sorts of changes feel like no-win situations for developers. > For enterprise, this is just going to raise the anxiety about BYOD; even > moreso when the same feature inevitably migrates to the mobile version as > well. It's misplaced anxiety. There's sufficient research on password habits to support the conclusion that credential managers improve security. The security is good enough across all significant platforms, including mobile, to make the risk of credential disclosure for a lost/stolen device MUCH less than the risk of bad password habits with device in hand. The audience for attacking a weak credential is several orders of magnitude greater than that of someone attacking a lost or stolen device, and to the extent that credential managers encourage stronger passwords, it's the right thing to do. > taking control away from the individual web developer is not the right way to > solve this problem over the long term. It’s a real problem, but we should be > educating the web developer and teaching him / her what is and is not an > appropriate place to turn autocomplete off is. Choice and education should be targeted at the user, and this change is consistent with putting the choice where it rightfully belongs. While Google could certainly do more on the education front, I see this as a step in that direction as well. Software should ship with secure defaults, and this change is consistent with that practice if you accept the argument that credential managers improve security. You can decide for yourself: http://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf https://www.usenix.org/system/files/conference/hotsec12/hotsec12-final13.pdf There was also a study on password variants out of UNC (iirc) but I can't find it now. In any case the study of human factors around passwords makes it clear that users are struggling to comply with increasing numbers of credentials and increasingly common password complexity policy. The only sensible and humane solution, aside from ditching passwords, is software assistance. Google gets that and I appreciate it. M -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
