[
https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16107831#comment-16107831
]
Josh Elser commented on ACCUMULO-4688:
--------------------------------------
Thoughts?
> Consider adding autocomplete=false to the shell servlet's password input
> element
> --------------------------------------------------------------------------------
>
> Key: ACCUMULO-4688
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4688
> Project: Accumulo
> Issue Type: Improvement
> Components: monitor
> Reporter: Josh Elser
> Assignee: Josh Elser
> Priority: Trivial
> Fix For: 1.7.4, 1.8.2
>
>
> Had a report from a user which identified an 'issue" in the ShellServlet
> around the password input element.
> There is an attribute {{autocomplete}} which can be set to false on the
> {{input}} element that will instruct browsers to not try to save the password
> in some store. In theory, this marginally improves security as the password
> would not be stored on the local machine in (potentially) some way that could
> be accessed by an adversary.
> I'm on the fence about the value of making this change (if the browser
> doesn't do this automatically, users would probably do this on their own in a
> way that is *less* secure than how the browser could). Thoughts from everyone
> else?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
