[
https://issues.apache.org/jira/browse/ACCUMULO-4688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Josh Elser resolved ACCUMULO-4688.
----------------------------------
Resolution: Won't Fix
Fix Version/s: (was: 1.7.4)
(was: 1.8.2)
Leaving this one as "Won't Fix". If those in favor can give a better argument,
we can revisit it later.
> Consider adding autocomplete=false to the shell servlet's password input
> element
> --------------------------------------------------------------------------------
>
> Key: ACCUMULO-4688
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4688
> Project: Accumulo
> Issue Type: Improvement
> Components: monitor
> Reporter: Josh Elser
> Assignee: Josh Elser
> Priority: Trivial
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Had a report from a user which identified an 'issue" in the ShellServlet
> around the password input element.
> There is an attribute {{autocomplete}} which can be set to false on the
> {{input}} element that will instruct browsers to not try to save the password
> in some store. In theory, this marginally improves security as the password
> would not be stored on the local machine in (potentially) some way that could
> be accessed by an adversary.
> I'm on the fence about the value of making this change (if the browser
> doesn't do this automatically, users would probably do this on their own in a
> way that is *less* secure than how the browser could). Thoughts from everyone
> else?
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
