comment about autocomplete and saving credentials from John Snyders on 2009-08-31 (public-html-comments@w3.org from September 2009)

From: John Snyders <jjsnyders@rcn.com>
Date: Mon, 31 Aug 2009 13:28:46 -0400
To: public-html-comments@w3.org
Message-ID: <4A9C084E.2070301@rcn.com>
I have a few comments on the autocomplete attribute section 4.10.4.2.1

I think a distinction needs to be made between browsers remembering a 
list of values for a single input and a browser offering to remember 
login credentials.  The first case is clearly described and easy to 
understand. The second case is more complicated. Browsers somehow 
associate the username and password as a pair and offer to remember 
them. Ideally browsers should store the credentials in a secure manner.

I'm concerned about the arms race between the banks not wanting the 
browsers to store the users credentials and the users wanting the 
convenience of having their credentials remembered. It seems the banks 
don't trust the browsers. But most browsers have the option of keeping 
credentials in a secure store using a master password and two way 
encryption.  I think the spec should explicitly state that a user agent 
that is going to store credentials should allow the user the option of 
using a master password protected store or an OS provided equivalent. 
The browser should also provide some kind of warning to the user about 
the dangers of remembering passwords without a master password. If this 
were done perhaps the banks would trust the browsers and we could do 
away with autocomplete having anything to do with saving credentials.

The spec does have a paragraph about the user agent giving the user the 
ability to override autocomplete but there should be two separate 
options one for single value autocomplete and another for storing 
credentials.

When banks moved the user name and password prompts to different pages 
(perhaps to support SiteKey) this kept browsers from associating the two 
so they couldn't remember credentials. Then Firefox got smart enough to 
handle this case. A side effect is that a password input that has 
nothing to do with authentication ends up getting autocompleted in some 
cases.

I did some testing and found different behavior among the browsers:
- Safari 4(win) and Opera 9.64 would never auto complete the user name 
(regardless of autocomplete setting) and used autocomplete=off on the 
user name input to control offering to remember credentials.
- Firefox 2-3.5: autocomplete works as expected on the user name field 
to control remembering previous usernames and autocomplete=off on the 
user name or password field controls offering to remember credentials.
- Chrome: autocomplete works as expected on the user name field to 
control remembering previous usernames and autocomplete=off on the 
password field controls offering to remember credentials.
Sorry didn't test any version of IE.

The input password state explicitly allows the autocomplete attribute 
but the semantics are not clearly defined.  Clearly it doesn't make 
sense to remember the password like you would a text input since a 
browser would never present a list of previously entered passwords in 
plain text and a list of ******'s isn't helpful either. So it must be 
related to remembering login credentials.

Given the current state of browsers if you want to recommend that the 
browser not store user login credentials you need to set 
autocomplete=off on both the username and password input prompts. In 
addition because of Firefox you need to set autocomplete=off on all 
password fields that are unrelated to login autentication.

I don't know if the best thing is just to describe current browser 
behavior or if there are better recommendations.

Some extreme options are:
- autocomplete should not be used to control saving credentials at all 
and either
  - sites have no business telling the browser what to do in this area 
(because of Firefox supporting
    username and password on different pages there still needs to be a 
way to say a password input
    has nothing to do with authentication)
  - or a new attribute (perhaps on the form) is added to explicitly 
state that the site requires the
    highest level of security which the browsers can interpret as a 
request (the the user can override)
    to not store the credentials.
- It might be worth while distinguishing a password/pin as part of login 
credentials from an ordinary
  secret field (one that does not echo). The first would be called 
password and the second would
  be called secret.

Minor things:
In section 4.10.4.2.1the example given seems to be related to the login 
credentials case. Consider adding another example that prompts for 
something like a social security number. Also the PIN input type should 
be type password rather than text to be more realistic.

Perhaps examples, even though they are just examples, should show best 
practices such as using a label rather than just text like Account: or PIN:

The paragraph on how autocomplete defaults is difficult to follow. The 
long sentence should be broken down into simpler parts perhaps indented 
or use pseudo code.
Received on Wednesday, 2 September 2009 14:13:09 UTC