[ https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16109718#comment-16109718 ]
Christopher Tubbs commented on ACCUMULO-4688: --------------------------------------------- I strongly disagree with this change. I think the premise is flawed. Modern browsers have secure storage for saved passwords. Having autocomplete enabled, improves security because it allows longer, more complex, less-memorable passwords, through the use of a password manager (either the browser's built-in one, or a third-party one). In addition, this servlet has been removed in master (2.0.0), so this would only negatively inconvenience users of 1.7/1.8 upon upgrading to a patch. It would be unexpected to upgrade, and lose features (security, convenience, etc.). Sorry if I seem to come off a bit abrasive here, but I feel pretty strongly in general about websites trying to make security decisions based on restricting client-side browser features, when I think it's better to let the user decide. We should secure the server side, and empower users to make their own decisions in the convenience-vs-security arena for the client side. That's what I think, anyway. (Also commented on the GitHub PR... wasn't sure where best to post my objection and have it received promptly.) > Consider adding autocomplete=false to the shell servlet's password input > element > -------------------------------------------------------------------------------- > > Key: ACCUMULO-4688 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4688 > Project: Accumulo > Issue Type: Improvement > Components: monitor > Reporter: Josh Elser > Assignee: Josh Elser > Priority: Trivial > Fix For: 1.7.4, 1.8.2 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Had a report from a user which identified an 'issue" in the ShellServlet > around the password input element. > There is an attribute {{autocomplete}} which can be set to false on the > {{input}} element that will instruct browsers to not try to save the password > in some store. In theory, this marginally improves security as the password > would not be stored on the local machine in (potentially) some way that could > be accessed by an adversary. > I'm on the fence about the value of making this change (if the browser > doesn't do this automatically, users would probably do this on their own in a > way that is *less* secure than how the browser could). Thoughts from everyone > else? -- This message was sent by Atlassian JIRA (v6.4.14#64029)