tag:blogger.com,1999:blog-7023583569207199066.post1818813602109923881..comments2023-09-20T04:27:04.523-10:00Comments on Manicode: Open letter to the Struts 1.x team on AUTOCOMPLETEJim Manicohttp://www.blogger.com/profile/14447468633342290543noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-7023583569207199066.post-69194175534608173872009-07-20T19:24:21.718-10:002009-07-20T19:24:21.718-10:00very impressive... been watching you for months no...very impressive... been watching you for months now and i have to say this one is just that <br /><br />speechless WOW!!!webayhttp://seo.webay.com.aunoreply@blogger.comtag:blogger.com,1999:blog-7023583569207199066.post-39191231651706176682009-07-20T09:15:13.487-10:002009-07-20T09:15:13.487-10:00I think your comments are totally fair, Anonymous,...I think your comments are totally fair, Anonymous, especially in the consumer space.<br /><br />But in some enterprise situations (where strong password policy is forced), disabling autocomplete is a prudent choice.<br /><br />All I'm asking is that 6 characters be deleted from the default struts 1.3.x tld file so that the autocomplete tag is a usable attribute by default.Jim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.comtag:blogger.com,1999:blog-7023583569207199066.post-51327000029228301202009-07-20T05:45:16.604-10:002009-07-20T05:45:16.604-10:00My take is that you're oversimplifying this pr...My take is that you're oversimplifying this problem.<br /><br />Autocomplete can definitely be a good thing. That way, I can (and do) have different random passwords for each critical site, and I don't have to remember them all, I let Firefox do it for me. I just have to remember one long password.<br /><br />It simply depends on your use-cases. Is your site primarily targeted towards people with a personal computer that they control, or towards a go-to-the-library crowd?<br /><br />For most people, the alternative to having the browser auto-fill is using a similar, easy to remember password that they share across many sites. That is itself a security hole - see the story in the news about the Twitter employee who had their Google account compromised by using the same password.<br /><br />So auto-complete can be a net security gain. It is even better if the auto-completion is integrated into the operating system-browser connection with a secret keeper - such as using Konqueror with KWallet, or Safari with KeyChain. Of course, you have to trust users to make sure that they cannot cache passwords in inappropriate circumstances.Anonymousnoreply@blogger.com