Josh Elser created ACCUMULO-4688:
------------------------------------
Summary: Consider adding autocomplete=false to the shell servlet's
password input element
Key: ACCUMULO-4688
URL: https://issues.apache.org/jira/browse/ACCUMULO-4688
Project: Accumulo
Issue Type: Improvement
Components: monitor
Reporter: Josh Elser
Assignee: Josh Elser
Priority: Trivial
Fix For: 1.7.4, 1.8.2
Had a report from a user which identified an 'issue" in the ShellServlet around
the password input element.
There is an attribute {{autocomplete}} which can be set to false on the
{{input}} element that will instruct browsers to not try to save the password
in some store. In theory, this marginally improves security as the password
would not be stored on the local machine in (potentially) some way that could
be accessed by an adversary.
I'm on the fence about the value of making this change (if the browser doesn't
do this automatically, users would probably do this on their own in a way that
is *less* secure than how the browser could). Thoughts from everyone else?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
