accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-4688) Consider adding autocomplete=false to the shell servlet's password input element
Date Tue, 01 Aug 2017 20:43:00 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16109718#comment-16109718
] 

Christopher Tubbs commented on ACCUMULO-4688:
---------------------------------------------

I strongly disagree with this change. I think the premise is flawed. Modern browsers have
secure storage for saved passwords. Having autocomplete enabled, improves security because
it allows longer, more complex, less-memorable passwords, through the use of a password manager
(either the browser's built-in one, or a third-party one).

In addition, this servlet has been removed in master (2.0.0), so this would only negatively
inconvenience users of 1.7/1.8 upon upgrading to a patch. It would be unexpected to upgrade,
and lose features (security, convenience, etc.).

Sorry if I seem to come off a bit abrasive here, but I feel pretty strongly in general about
websites trying to make security decisions based on restricting client-side browser features,
when I think it's better to let the user decide. We should secure the server side, and empower
users to make their own decisions in the convenience-vs-security arena for the client side.
That's what I think, anyway.

(Also commented on the GitHub PR... wasn't sure where best to post my objection and have it
received promptly.)

> Consider adding autocomplete=false to the shell servlet's password input element
> --------------------------------------------------------------------------------
>
>                 Key: ACCUMULO-4688
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4688
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: monitor
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Trivial
>             Fix For: 1.7.4, 1.8.2
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Had a report from a user which identified an 'issue" in the ShellServlet around the password
input element.
> There is an attribute {{autocomplete}} which can be set to false on the {{input}} element
that will instruct browsers to not try to save the password in some store. In theory, this
marginally improves security as the password would not be stored on the local machine in (potentially)
some way that could be accessed by an adversary.
> I'm on the fence about the value of making this change (if the browser doesn't do this
automatically, users would probably do this on their own in a way that is *less* secure than
how the browser could). Thoughts from everyone else?



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message