accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-4688) Consider adding autocomplete=false to the shell servlet's password input element
Date Wed, 02 Aug 2017 01:26:02 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110093#comment-16110093
] 

Josh Elser commented on ACCUMULO-4688:
--------------------------------------

bq. So, since I'm a strong -1, how about we leave this open for comment for another 24 hours
(or longer if you think better)

This was essentially my plan. Whenever I circle around to this next after 24hrs or so, I'd
just close as "Won't Fix".

> Consider adding autocomplete=false to the shell servlet's password input element
> --------------------------------------------------------------------------------
>
>                 Key: ACCUMULO-4688
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4688
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: monitor
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Trivial
>             Fix For: 1.7.4, 1.8.2
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Had a report from a user which identified an 'issue" in the ShellServlet around the password
input element.
> There is an attribute {{autocomplete}} which can be set to false on the {{input}} element
that will instruct browsers to not try to save the password in some store. In theory, this
marginally improves security as the password would not be stored on the local machine in (potentially)
some way that could be accessed by an adversary.
> I'm on the fence about the value of making this change (if the browser doesn't do this
automatically, users would probably do this on their own in a way that is *less* secure than
how the browser could). Thoughts from everyone else?



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message