Return-Path: <notifications-return-39275-archive-asf-public=cust-asf.ponee.io@accumulo.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id E5015200CD9
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu,  3 Aug 2017 19:23:03 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id E3B9516C158; Thu,  3 Aug 2017 17:23:03 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 35BAE16C155
	for <archive-asf-public@cust-asf.ponee.io>; Thu,  3 Aug 2017 19:23:03 +0200 (CEST)
Received: (qmail 86332 invoked by uid 500); 3 Aug 2017 17:23:02 -0000
Mailing-List: contact notifications-help@accumulo.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:notifications-help@accumulo.apache.org>
List-Unsubscribe: <mailto:notifications-unsubscribe@accumulo.apache.org>
List-Post: <mailto:notifications@accumulo.apache.org>
List-Id: <notifications.accumulo.apache.org>
Reply-To: jira@apache.org
Delivered-To: mailing list notifications@accumulo.apache.org
Received: (qmail 86321 invoked by uid 99); 3 Aug 2017 17:23:02 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Aug 2017 17:23:02 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id DF7CBC00C4
	for <notifications@accumulo.apache.org>; Thu,  3 Aug 2017 17:23:01 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -99.202
X-Spam-Level: 
X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id AV7rrFrVpBB3 for <notifications@accumulo.apache.org>;
	Thu,  3 Aug 2017 17:23:01 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 163BE5F242
	for <notifications@accumulo.apache.org>; Thu,  3 Aug 2017 17:23:01 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id ACE48E0031
	for <notifications@accumulo.apache.org>; Thu,  3 Aug 2017 17:23:00 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 67EAB2464C
	for <notifications@accumulo.apache.org>; Thu,  3 Aug 2017 17:23:00 +0000 (UTC)
Date: Thu, 3 Aug 2017 17:23:00 +0000 (UTC)
From: "Josh Elser (JIRA)" <jira@apache.org>
To: notifications@accumulo.apache.org
Message-ID: <JIRA.13090874.1501270752000.86448.1501780980422@Atlassian.JIRA>
In-Reply-To: <JIRA.13090874.1501270752000@Atlassian.JIRA>
References: <JIRA.13090874.1501270752000@Atlassian.JIRA> <JIRA.13090874.1501270752552@jira-lw-us.apache.org>
Subject: [jira] [Resolved] (ACCUMULO-4688) Consider adding
 autocomplete=false to the shell servlet's password input element
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Thu, 03 Aug 2017 17:23:04 -0000


     [ https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Josh Elser resolved ACCUMULO-4688.
----------------------------------
       Resolution: Won't Fix
    Fix Version/s:     (was: 1.7.4)
                       (was: 1.8.2)

Leaving this one as "Won't Fix". If those in favor can give a better argument, we can revisit it later.

> Consider adding autocomplete=false to the shell servlet's password input element
> --------------------------------------------------------------------------------
>
>                 Key: ACCUMULO-4688
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4688
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: monitor
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Trivial
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> Had a report from a user which identified an 'issue" in the ShellServlet around the password input element.
> There is an attribute {{autocomplete}} which can be set to false on the {{input}} element that will instruct browsers to not try to save the password in some store. In theory, this marginally improves security as the password would not be stored on the local machine in (potentially) some way that could be accessed by an adversary.
> I'm on the fence about the value of making this change (if the browser doesn't do this automatically, users would probably do this on their own in a way that is *less* secure than how the browser could). Thoughts from everyone else?



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)