[jira] [Commented] (ACCUMULO-4688) Consider adding autocomplete=false to the shell servlet's password input element
[
https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110093#comment-16110093
]
Josh Elser commented on ACCUMULO-4688:
--
bq. So, since I'm a strong -1, how about we leave this open for comment for
another 24 hours (or longer if you think better)
This was essentially my plan. Whenever I circle around to this next after 24hrs
or so, I'd just close as "Won't Fix".
> Consider adding autocomplete=false to the shell servlet's password input
> element
>
>
> Key: ACCUMULO-4688
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4688
> Project: Accumulo
> Issue Type: Improvement
> Components: monitor
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Trivial
> Fix For: 1.7.4, 1.8.2
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Had a report from a user which identified an 'issue" in the ShellServlet
> around the password input element.
> There is an attribute {{autocomplete}} which can be set to false on the
> {{input}} element that will instruct browsers to not try to save the password
> in some store. In theory, this marginally improves security as the password
> would not be stored on the local machine in (potentially) some way that could
> be accessed by an adversary.
> I'm on the fence about the value of making this change (if the browser
> doesn't do this automatically, users would probably do this on their own in a
> way that is *less* secure than how the browser could). Thoughts from everyone
> else?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (ACCUMULO-4688) Consider adding autocomplete=false to the shell servlet's password input element
[
https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110049#comment-16110049
]
Christopher Tubbs commented on ACCUMULO-4688:
-
So, since I'm a strong -1, how about we leave this open for comment for another
24 hours (or longer if you think better), and if nothing changes, we drop as
"Not A Problem"?
> Consider adding autocomplete=false to the shell servlet's password input
> element
>
>
> Key: ACCUMULO-4688
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4688
> Project: Accumulo
> Issue Type: Improvement
> Components: monitor
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Trivial
> Fix For: 1.7.4, 1.8.2
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Had a report from a user which identified an 'issue" in the ShellServlet
> around the password input element.
> There is an attribute {{autocomplete}} which can be set to false on the
> {{input}} element that will instruct browsers to not try to save the password
> in some store. In theory, this marginally improves security as the password
> would not be stored on the local machine in (potentially) some way that could
> be accessed by an adversary.
> I'm on the fence about the value of making this change (if the browser
> doesn't do this automatically, users would probably do this on their own in a
> way that is *less* secure than how the browser could). Thoughts from everyone
> else?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (ACCUMULO-4688) Consider adding autocomplete=false to the shell servlet's password input element
[
https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109736#comment-16109736
]
Josh Elser commented on ACCUMULO-4688:
--
Thanks for sharing your opinion, Christopher. I don't think you should feel
abrasive as this was essentially asking for opinions.
Mike Walch was the only other person who shared one (he was at least +0 for the
change). I'd put myself at a -0.
bq. (Also commented on the GitHub PR... wasn't sure where best to post my
objection and have it received promptly.)
Both of them result an email so they are just as promptly received as the other!
> Consider adding autocomplete=false to the shell servlet's password input
> element
>
>
> Key: ACCUMULO-4688
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4688
> Project: Accumulo
> Issue Type: Improvement
> Components: monitor
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Trivial
> Fix For: 1.7.4, 1.8.2
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Had a report from a user which identified an 'issue" in the ShellServlet
> around the password input element.
> There is an attribute {{autocomplete}} which can be set to false on the
> {{input}} element that will instruct browsers to not try to save the password
> in some store. In theory, this marginally improves security as the password
> would not be stored on the local machine in (potentially) some way that could
> be accessed by an adversary.
> I'm on the fence about the value of making this change (if the browser
> doesn't do this automatically, users would probably do this on their own in a
> way that is *less* secure than how the browser could). Thoughts from everyone
> else?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (ACCUMULO-4688) Consider adding autocomplete=false to the shell servlet's password input element
[
https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109718#comment-16109718
]
Christopher Tubbs commented on ACCUMULO-4688:
-
I strongly disagree with this change. I think the premise is flawed. Modern
browsers have secure storage for saved passwords. Having autocomplete enabled,
improves security because it allows longer, more complex, less-memorable
passwords, through the use of a password manager (either the browser's built-in
one, or a third-party one).
In addition, this servlet has been removed in master (2.0.0), so this would
only negatively inconvenience users of 1.7/1.8 upon upgrading to a patch. It
would be unexpected to upgrade, and lose features (security, convenience, etc.).
Sorry if I seem to come off a bit abrasive here, but I feel pretty strongly in
general about websites trying to make security decisions based on restricting
client-side browser features, when I think it's better to let the user decide.
We should secure the server side, and empower users to make their own decisions
in the convenience-vs-security arena for the client side. That's what I think,
anyway.
(Also commented on the GitHub PR... wasn't sure where best to post my objection
and have it received promptly.)
> Consider adding autocomplete=false to the shell servlet's password input
> element
>
>
> Key: ACCUMULO-4688
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4688
> Project: Accumulo
> Issue Type: Improvement
> Components: monitor
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Trivial
> Fix For: 1.7.4, 1.8.2
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Had a report from a user which identified an 'issue" in the ShellServlet
> around the password input element.
> There is an attribute {{autocomplete}} which can be set to false on the
> {{input}} element that will instruct browsers to not try to save the password
> in some store. In theory, this marginally improves security as the password
> would not be stored on the local machine in (potentially) some way that could
> be accessed by an adversary.
> I'm on the fence about the value of making this change (if the browser
> doesn't do this automatically, users would probably do this on their own in a
> way that is *less* secure than how the browser could). Thoughts from everyone
> else?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (ACCUMULO-4688) Consider adding autocomplete=false to the shell servlet's password input element
[
https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16107831#comment-16107831
]
Josh Elser commented on ACCUMULO-4688:
--
Thoughts?
> Consider adding autocomplete=false to the shell servlet's password input
> element
>
>
> Key: ACCUMULO-4688
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4688
> Project: Accumulo
> Issue Type: Improvement
> Components: monitor
>Reporter: Josh Elser
>Assignee: Josh Elser
>Priority: Trivial
> Fix For: 1.7.4, 1.8.2
>
>
> Had a report from a user which identified an 'issue" in the ShellServlet
> around the password input element.
> There is an attribute {{autocomplete}} which can be set to false on the
> {{input}} element that will instruct browsers to not try to save the password
> in some store. In theory, this marginally improves security as the password
> would not be stored on the local machine in (potentially) some way that could
> be accessed by an adversary.
> I'm on the fence about the value of making this change (if the browser
> doesn't do this automatically, users would probably do this on their own in a
> way that is *less* secure than how the browser could). Thoughts from everyone
> else?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
