[jira] [Commented] (ACCUMULO-4688) Consider adding autocomplete=false to the shell servlet's password input element

Tue, 01 Aug 2017 13:43:20 -0700 

    [ 
https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16109718#comment-16109718
 ] 

Christopher Tubbs commented on ACCUMULO-4688:
---------------------------------------------

I strongly disagree with this change. I think the premise is flawed. Modern 
browsers have secure storage for saved passwords. Having autocomplete enabled, 
improves security because it allows longer, more complex, less-memorable 
passwords, through the use of a password manager (either the browser's built-in 
one, or a third-party one).

In addition, this servlet has been removed in master (2.0.0), so this would 
only negatively inconvenience users of 1.7/1.8 upon upgrading to a patch. It 
would be unexpected to upgrade, and lose features (security, convenience, etc.).

Sorry if I seem to come off a bit abrasive here, but I feel pretty strongly in 
general about websites trying to make security decisions based on restricting 
client-side browser features, when I think it's better to let the user decide. 
We should secure the server side, and empower users to make their own decisions 
in the convenience-vs-security arena for the client side. That's what I think, 
anyway.

(Also commented on the GitHub PR... wasn't sure where best to post my objection 
and have it received promptly.)

> Consider adding autocomplete=false to the shell servlet's password input 
> element
> --------------------------------------------------------------------------------
>
>                 Key: ACCUMULO-4688
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4688
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: monitor
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Trivial
>             Fix For: 1.7.4, 1.8.2
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Had a report from a user which identified an 'issue" in the ShellServlet 
> around the password input element.
> There is an attribute {{autocomplete}} which can be set to false on the 
> {{input}} element that will instruct browsers to not try to save the password 
> in some store. In theory, this marginally improves security as the password 
> would not be stored on the local machine in (potentially) some way that could 
> be accessed by an adversary.
> I'm on the fence about the value of making this change (if the browser 
> doesn't do this automatically, users would probably do this on their own in a 
> way that is *less* secure than how the browser could). Thoughts from everyone 
> else?



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to