[ https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16107831#comment-16107831 ]
Josh Elser commented on ACCUMULO-4688: -------------------------------------- Thoughts? > Consider adding autocomplete=false to the shell servlet's password input > element > -------------------------------------------------------------------------------- > > Key: ACCUMULO-4688 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4688 > Project: Accumulo > Issue Type: Improvement > Components: monitor > Reporter: Josh Elser > Assignee: Josh Elser > Priority: Trivial > Fix For: 1.7.4, 1.8.2 > > > Had a report from a user which identified an 'issue" in the ShellServlet > around the password input element. > There is an attribute {{autocomplete}} which can be set to false on the > {{input}} element that will instruct browsers to not try to save the password > in some store. In theory, this marginally improves security as the password > would not be stored on the local machine in (potentially) some way that could > be accessed by an adversary. > I'm on the fence about the value of making this change (if the browser > doesn't do this automatically, users would probably do this on their own in a > way that is *less* secure than how the browser could). Thoughts from everyone > else? -- This message was sent by Atlassian JIRA (v6.4.14#64029)