W3C home > Mailing lists > Public > public-html-comments@w3.org > September 2009

Re: comment about autocomplete and saving credentials

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 3 Sep 2009 12:40:49 +0000 (UTC)
To: John Snyders <jjsnyders@rcn.com>
Cc: public-html-comments@w3.org
Message-ID: <Pine.LNX.4.62.0909031228070.6775@hixie.dreamhostps.com>
On Mon, 31 Aug 2009, John Snyders wrote:
>
> I have a few comments on the autocomplete attribute section 4.10.4.2.1
> 
> I think a distinction needs to be made between browsers remembering a 
> list of values for a single input and a browser offering to remember 
> login credentials.  The first case is clearly described and easy to 
> understand. The second case is more complicated. Browsers somehow 
> associate the username and password as a pair and offer to remember 
> them. Ideally browsers should store the credentials in a secure manner.

What distinction would you want the spec to make?


> I'm concerned about the arms race between the banks not wanting the 
> browsers to store the users credentials and the users wanting the 
> convenience of having their credentials remembered. It seems the banks 
> don't trust the browsers. But most browsers have the option of keeping 
> credentials in a secure store using a master password and two way 
> encryption.  I think the spec should explicitly state that a user agent 
> that is going to store credentials should allow the user the option of 
> using a master password protected store or an OS provided equivalent. 

That's entirely up to the UA, and out of scope of the spec, as far as I 
can tell. The UA can store the passwords on punched cards guarded by small 
trolls, for all the spec cares, no?


> The browser should also provide some kind of warning to the user about 
> the dangers of remembering passwords without a master password. If this 
> were done perhaps the banks would trust the browsers and we could do 
> away with autocomplete having anything to do with saving credentials.

I don't think the spec should be mandating warnings of any kind.


> The spec does have a paragraph about the user agent giving the user the 
> ability to override autocomplete but there should be two separate 
> options one for single value autocomplete and another for storing 
> credentials.

That's up to the UA. I don't think the spec should be getting into that 
kind of discussion.


> I don't know if the best thing is just to describe current browser 
> behavior or if there are better recommendations.

Isn't what the spec says now adequate? It lets implementations have the 
flexibility to provide new features, while defining the minimum they must 
do to be compatible with sites.


> In section 4.10.4.2.1 the example given seems to be related to the login 
> credentials case. Consider adding another example that prompts for 
> something like a social security number.

I don't really want to encourage people to use this feature too much, so 
I'd rather not have too many examples.


> Also the PIN input type should be type password rather than text to be 
> more realistic.

Good point, fixed. Thanks.


> Perhaps examples, even though they are just examples, should show best 
> practices such as using a label rather than just text like Account: or 
> PIN:

Fixed.


> The paragraph on how autocomplete defaults is difficult to follow. The 
> long sentence should be broken down into simpler parts perhaps indented 
> or use pseudo code.

I'm not sure which sentence you mean.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 3 September 2009 12:38:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 1 June 2011 00:14:00 GMT