RE: Passsword managers and autocomplete='off'

On Thursday, December 12, 2013 1:57 PM, Jonas Sicking wrote:
> On Thu, Dec 12, 2013 at 1:45 PM, Joel Weinberger <jww@chromium.org> wrote:
> >> But it would suck if the result is that they create their own form
> >> fields using <div>s and/or contenteditable.
> >
> > That's true, although some things like that are already pretty prevalent so
> > we've come up with decent heuristics for detecting them. In the end, though,
> > they always can try obfuscation, but we think that this will, in fact,
> > benefit their users.
> 
> Whether it benefits users or not is unfortunately less relevant than
> whether websites thinks that it benefits users. Since if they don't
> think it does, we'll end up in an escalating war of browsers and
> websites working around each other.
> 
> >> Reaching out to banks might be good. Is that something you've looked at?
> >
> > Yes, we're definitely doing that. From our perspective, we'd be happy with
> > making the switch today, but we're trying to be good netizens and (a) give
> > fair warning, and (b) make sure we're not missing something critical.
> 
> I'd be very interested in hearing what feedback you get. If we knew
> that banks were onboard with whatever is proposed, that would
> definitely make us more comfortable with deploying the same solution.

We agree with this approach. In IE11, we decided to stop supporting [1] the
autocomplete attribute with <input type=password> in order that we could offer
password management for more authentication forms. We never store passwords
without the user choosing to allow this when prompted for a specific site.

We haven't heard any significant negative feedback so far.

Cheers,

Adrian.

[1] http://msdn.microsoft.com/en-us/library/ie/ms533486

Received on Friday, 3 January 2014 23:08:30 UTC