[whatwg] [WF2] Objection to autocomplete Attribute

[James Graham]

Mikko Rantalainen wrote:

> James Graham wrote:
>
>> Mikko Rantalainen wrote:
>>
>>> My bank uses one-shot passwords for web access
>>
>>
>> Which seems to be an ideal use-case for the autocomplete attribute...
>
>
> But in this case, the autocomplete isn't a *security* feature (though 
> my point is, it should never be considered a security feature). 
> Instead, it's an enchancement (UA will not store or incorrectly 
> suggest old value as valid input) and it should make no difference to 
> bank if UA supports that feature or not.

True. But it is a much better use case than the one that is currently in 
the spec. Ian, can we change the use case to mention some sort of 
one-time password rather than the contrived nuclear weapon example? It 
might even encourage people to implement something actually secure 
rather than just a set of fixed passwords...

In general I don't see the problem with autocomplete='off'. It does 
offer some security. Not very strong but at least as useful as hiding 
passwords as *** - a feature which has the same detrimental effect on 
usability that autocomplete=off has, is equally useless in the face of a 
sutiably determined attacker and yet one which few people wish to disable.

> WF2 shouldn't require UAs to support this feature. Just a note that 
> some institutions insanely want this feature is enough.

As Anne points out, WF2 uses "should", not "must", so it's not required 
for conformance. In effect the spec reads "you can not support this 
feature, as long as you don't mind banks not supporting your browser. It 
won't make you WF2 non compliant but since you're unlikely to have any 
market share, that's not your biggest problem".

-- 
"But if science you say still sounds too deep,
Just do what Beaker does, just shrug and 'Meep!'"

-- Dr. Bunsen Honeydew & Beaker of Muppet Labs