[jira] [Commented] (ACCUMULO-4688) Consider adding autocomplete=false to the shell servlet's password input element
[ https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110093#comment-16110093 ] Josh Elser commented on ACCUMULO-4688: -- bq. So, since I'm a strong -1, how about we leave this open for comment for another 24 hours (or longer if you think better) This was essentially my plan. Whenever I circle around to this next after 24hrs or so, I'd just close as "Won't Fix". > Consider adding autocomplete=false to the shell servlet's password input > element > > > Key: ACCUMULO-4688 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4688 > Project: Accumulo > Issue Type: Improvement > Components: monitor >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Trivial > Fix For: 1.7.4, 1.8.2 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Had a report from a user which identified an 'issue" in the ShellServlet > around the password input element. > There is an attribute {{autocomplete}} which can be set to false on the > {{input}} element that will instruct browsers to not try to save the password > in some store. In theory, this marginally improves security as the password > would not be stored on the local machine in (potentially) some way that could > be accessed by an adversary. > I'm on the fence about the value of making this change (if the browser > doesn't do this automatically, users would probably do this on their own in a > way that is *less* secure than how the browser could). Thoughts from everyone > else? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ACCUMULO-4688) Consider adding autocomplete=false to the shell servlet's password input element
[ https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16110049#comment-16110049 ] Christopher Tubbs commented on ACCUMULO-4688: - So, since I'm a strong -1, how about we leave this open for comment for another 24 hours (or longer if you think better), and if nothing changes, we drop as "Not A Problem"? > Consider adding autocomplete=false to the shell servlet's password input > element > > > Key: ACCUMULO-4688 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4688 > Project: Accumulo > Issue Type: Improvement > Components: monitor >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Trivial > Fix For: 1.7.4, 1.8.2 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Had a report from a user which identified an 'issue" in the ShellServlet > around the password input element. > There is an attribute {{autocomplete}} which can be set to false on the > {{input}} element that will instruct browsers to not try to save the password > in some store. In theory, this marginally improves security as the password > would not be stored on the local machine in (potentially) some way that could > be accessed by an adversary. > I'm on the fence about the value of making this change (if the browser > doesn't do this automatically, users would probably do this on their own in a > way that is *less* secure than how the browser could). Thoughts from everyone > else? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ACCUMULO-4688) Consider adding autocomplete=false to the shell servlet's password input element
[ https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109736#comment-16109736 ] Josh Elser commented on ACCUMULO-4688: -- Thanks for sharing your opinion, Christopher. I don't think you should feel abrasive as this was essentially asking for opinions. Mike Walch was the only other person who shared one (he was at least +0 for the change). I'd put myself at a -0. bq. (Also commented on the GitHub PR... wasn't sure where best to post my objection and have it received promptly.) Both of them result an email so they are just as promptly received as the other! > Consider adding autocomplete=false to the shell servlet's password input > element > > > Key: ACCUMULO-4688 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4688 > Project: Accumulo > Issue Type: Improvement > Components: monitor >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Trivial > Fix For: 1.7.4, 1.8.2 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Had a report from a user which identified an 'issue" in the ShellServlet > around the password input element. > There is an attribute {{autocomplete}} which can be set to false on the > {{input}} element that will instruct browsers to not try to save the password > in some store. In theory, this marginally improves security as the password > would not be stored on the local machine in (potentially) some way that could > be accessed by an adversary. > I'm on the fence about the value of making this change (if the browser > doesn't do this automatically, users would probably do this on their own in a > way that is *less* secure than how the browser could). Thoughts from everyone > else? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ACCUMULO-4688) Consider adding autocomplete=false to the shell servlet's password input element
[ https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16109718#comment-16109718 ] Christopher Tubbs commented on ACCUMULO-4688: - I strongly disagree with this change. I think the premise is flawed. Modern browsers have secure storage for saved passwords. Having autocomplete enabled, improves security because it allows longer, more complex, less-memorable passwords, through the use of a password manager (either the browser's built-in one, or a third-party one). In addition, this servlet has been removed in master (2.0.0), so this would only negatively inconvenience users of 1.7/1.8 upon upgrading to a patch. It would be unexpected to upgrade, and lose features (security, convenience, etc.). Sorry if I seem to come off a bit abrasive here, but I feel pretty strongly in general about websites trying to make security decisions based on restricting client-side browser features, when I think it's better to let the user decide. We should secure the server side, and empower users to make their own decisions in the convenience-vs-security arena for the client side. That's what I think, anyway. (Also commented on the GitHub PR... wasn't sure where best to post my objection and have it received promptly.) > Consider adding autocomplete=false to the shell servlet's password input > element > > > Key: ACCUMULO-4688 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4688 > Project: Accumulo > Issue Type: Improvement > Components: monitor >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Trivial > Fix For: 1.7.4, 1.8.2 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Had a report from a user which identified an 'issue" in the ShellServlet > around the password input element. > There is an attribute {{autocomplete}} which can be set to false on the > {{input}} element that will instruct browsers to not try to save the password > in some store. In theory, this marginally improves security as the password > would not be stored on the local machine in (potentially) some way that could > be accessed by an adversary. > I'm on the fence about the value of making this change (if the browser > doesn't do this automatically, users would probably do this on their own in a > way that is *less* secure than how the browser could). Thoughts from everyone > else? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ACCUMULO-4688) Consider adding autocomplete=false to the shell servlet's password input element
[ https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16107831#comment-16107831 ] Josh Elser commented on ACCUMULO-4688: -- Thoughts? > Consider adding autocomplete=false to the shell servlet's password input > element > > > Key: ACCUMULO-4688 > URL: https://issues.apache.org/jira/browse/ACCUMULO-4688 > Project: Accumulo > Issue Type: Improvement > Components: monitor >Reporter: Josh Elser >Assignee: Josh Elser >Priority: Trivial > Fix For: 1.7.4, 1.8.2 > > > Had a report from a user which identified an 'issue" in the ShellServlet > around the password input element. > There is an attribute {{autocomplete}} which can be set to false on the > {{input}} element that will instruct browsers to not try to save the password > in some store. In theory, this marginally improves security as the password > would not be stored on the local machine in (potentially) some way that could > be accessed by an adversary. > I'm on the fence about the value of making this change (if the browser > doesn't do this automatically, users would probably do this on their own in a > way that is *less* secure than how the browser could). Thoughts from everyone > else? -- This message was sent by Atlassian JIRA (v6.4.14#64029)