Masking only MUST for passwords

Raised by:
Mary Ellen Zurko
Opened on:

Assuming it's possible, it would be far better if the user agent continue to be smart about password field display. This would reduce the burden of the editor bar, and the ability to mark strings for masking would be a MAY. The display name of each string input to a site in a password field could be "[petname] password [n]" where n provides a sequence number. The feature that allows for masking of other strings would also allow for renaming of these defaults. Here's a crack at the rewrite of the 2nd pargraph:

Strings in the text entry tool history that were input into password fields MUST have a meaningful and unique [display name]. One (english) example is "[site petname] password [n]", where "n" provides a sequence number in case of multiple entries. Wherever a text string would be displayed by the editor bar, the provided display name MUST be shown in its place, as well as an indication that the displayed text is a display name. Users SHOULD be provided with an interaction to change display names, and MAY be provided with a mechanism to give other sensitive strings display names.

I left out the auto completion part because I don't buy it; I think that part is still up for grabs (some simple user testing should show). It can obviously be recommended by the examples, prototypes, and code that come along as we work on the spec. The last line in that paragraph didn't add anything; the editor bar would not work at all if that line was not followed.
Related Actions Items:
No related actions
Related emails:
  1. ISSUE-157: Masking only MUST for passwords [wsc-xit] (from on 2008-01-02)

Related notes:

No additional notes.

Display change log ATOM feed

Mary Ellen Zurko <>, Chair, Thomas Roessler <>, Staff Contact
Tracker (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <>.
$Id: 157.html,v 1.1 2010/10/11 09:35:08 dom Exp $