On Wed, 23 Feb 2005, Ian G wrote: > Ka-Ping Yee wrote: > >2. Currently, typing in password fields shows a bunch of stars to > > give the impression that what you type is secret. Well, if we > > are really serious about the necessity of SSL for keeping passwords > > secret, then why should we give that impression when there's no > > encryption? Suppose that, if there's no SSL, password fields > > *don't* blank out the text with stars -- they just behave like > > normal visible text fields. That would be instant, unmistakable > > feedback, and i think it would be a pretty intuitive way to show > > that the password isn't being kept secret. [...] > But, turning off the stars is a non-starter, one would > have to convince all the people who code and use > these things of where they came from, and who's > got the time to do that?
Sorry, could you elaborate a bit? I couldn't quite figure out what you meant by that last paragraph. We'd have to convince *whom* of where *what* came from? (Yes, i know it would look weird. It would make me go "what?" But that would be the point. If a transient message also appeared to say "The password you enter here will be visible to the public", that would help me realize that it wasn't a browser bug.) -- ?!ng _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
