Ka-Ping Yee wrote:
On Wed, 23 Feb 2005, Ian G wrote:
Ka-Ping Yee wrote:
2. Currently, typing in password fields shows a bunch of stars to
give the impression that what you type is secret. Well, if we
are really serious about the necessity of SSL for keeping passwords
secret, then why should we give that impression when there's no
encryption? Suppose that, if there's no SSL, password fields
*don't* blank out the text with stars -- they just behave like
normal visible text fields. That would be instant, unmistakable
feedback, and i think it would be a pretty intuitive way to show
that the password isn't being kept secret.
[...]
But, turning off the stars is a non-starter, one would
have to convince all the people who code and use
these things of where they came from, and who's
got the time to do that?
Sorry, could you elaborate a bit? I couldn't quite figure out what you
meant by that last paragraph. We'd have to convince *whom* of where
*what* came from?
Who: Developers of login boxes and all users of login boxes.
What: why the login boxes blanks out the password with
stars or blobs or etc ... e.g., what the origin of the
original security need was, and "how things have changed!"
(Yes, i know it would look weird. It would make me go "what?"
But that would be the point. If a transient message also appeared
to say "The password you enter here will be visible to the public",
that would help me realize that it wasn't a browser bug.)
Right. It's a nice idea.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
