On 9/5/06, Dragon <[EMAIL PROTECTED]> wrote: > David Dyer-Bennet sent the message below at 09:55 9/5/2006: > > >Why doesn't Firefox (or other browsers, I think I've seen the same > >behavior in Opera) offer me the chance to remember the Administrative > >password for my site? > ---------------- End original message. --------------------- > > It is very simple. It is because these browsers that do this sort of > thing are looking for an HTML input field named "password" (and maybe > a few other similar names). If they do not find one with the name > they expect, they do not save the password. > > The field on the login page is named "adminpw" and is thus not > recognized. What these browsers SHOULD be looking for is the TYPE of > the input and not the name. But then again, I think this feature of > some browsers is a security breach waiting to happen.
Mostly the browsers are looking for username / password pairs, and need to capture both; and there's no unique input field type for the username part; so I see how they've ended up where they are, though it does seem to make sense for them to capture bare passwords as well based on input field type. > If you look at the source for the login page you will see something like this: > > <INPUT TYPE="password" NAME="adminpw" SIZE="30"> > > You could modify your copy of mailman to change the name of that > field if you wanted, I am not sure exactly how much of a change it > would be and exactly which files are involved but I can't imagine it > would take more than a handful of lines. Unfortunately I don't control the copy I have to interact with. > However, I personally see > nothing wrong with the way it is done now, in fact, I think it is a > good practice. The reason I say this is that I believe saving > passwords on your computer is generally a bad idea as it is a risky > practice. All computers connected to the Internet and not physically > secured from unauthorized access are vulnerable to attack. And the passwords saved in my browser are encrypted under a master passphrase. The other reasonable choice I have for saving passwords is Passwordsafe, where -- they're encrypted under a master passphrase. I currently have 266 password (nearly all 8-12 character random strings) in my Passwordsafe database. I have about 10 passwords I carry in my memory, including the passphrases mentioned above plus a couple of key work- and server-related passwords. For me, keeping them all in my memory is not an option. (And the number is much smaller than it might be; for example at a number of retailers where I have the option I don't establish an account or store any data there, and hence don't have a password to remember.) Certainly there's some risk to ever writing them down or putting them on a computer; but I believe storing them the way they do is a reasonable balance between risk from the password being compromised, and risk from forgetting it when I need it. Security is all about tradeoffs; my computer would be more secure powered down, disconnected from the net, and locked in a vault, but it would also be far less useful. And of course giving the adminpw form field the name "password" would not force anybody to keep the passwords in their browser; that functionality can be disabled, and if enabled it still asks before remembering a password, so it's hard to do accidentally. -- David Dyer-Bennet, <mailto:[EMAIL PROTECTED]>, <http://www.dd-b.net/dd-b/> RKBA: <http://www.dd-b.net/carry/> Pics: <http://www.dd-b.net/dd-b/SnapshotAlbum/> Dragaera/Steven Brust: <http://dragaera.info/> ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp