What I find quite ironical is that Chrome does not propose me to save my Google password. They don't even apply their own rules.
More seriously, I find it really bad because that means Chrome does not respect the html5 standard (and probably other aspects I don't know). However thank you Marvin for your responses, I understand there won't be any modification in the CAS to hack the Chrome behavior. Regards, Michaël 2014-07-23 21:41 GMT+02:00 Marvin Addison <marvin.addi...@gmail.com>: > > In the short term for the home user I sort of agree, but IMO the fact > that there has been no notification for the average user that something has > changed is wrong. > > Don't disagree, but these sorts of changes feel like no-win situations > for developers. > > > For enterprise, this is just going to raise the anxiety about BYOD; even > moreso when the same feature inevitably migrates to the mobile version as > well. > > It's misplaced anxiety. There's sufficient research on password habits > to support the conclusion that credential managers improve security. > The security is good enough across all significant platforms, > including mobile, to make the risk of credential disclosure for a > lost/stolen device MUCH less than the risk of bad password habits with > device in hand. The audience for attacking a weak credential is > several orders of magnitude greater than that of someone attacking a > lost or stolen device, and to the extent that credential managers > encourage stronger passwords, it's the right thing to do. > > > taking control away from the individual web developer is not the right > way to solve this problem over the long term. It’s a real problem, but we > should be educating the web developer and teaching him / her what is and is > not an appropriate place to turn autocomplete off is. > > Choice and education should be targeted at the user, and this change > is consistent with putting the choice where it rightfully belongs. > While Google could certainly do more on the education front, I see > this as a step in that direction as well. Software should ship with > secure defaults, and this change is consistent with that practice if > you accept the argument that credential managers improve security. You > can decide for yourself: > > http://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf > > https://www.usenix.org/system/files/conference/hotsec12/hotsec12-final13.pdf > > There was also a study on password variants out of UNC (iirc) but I > can't find it now. In any case the study of human factors around > passwords makes it clear that users are struggling to comply with > increasing numbers of credentials and increasingly common password > complexity policy. The only sensible and humane solution, aside from > ditching passwords, is software assistance. Google gets that and I > appreciate it. > > M > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > michaelrem...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
