Re: Passsword managers and autocomplete='off'

On Thu, Dec 12, 2013 at 1:21 PM, Jonas Sicking <jonas@sicking.cc> wrote:

> On Dec 12, 2013 11:21 AM, "Joel Weinberger" <jww@chromium.org> wrote:
> > What are this group's thoughts on this? Any particular concerns with
> this approach?
>
> I like the approach.
>
Awesome, and thanks for this feedback :-)

>
> The issue in the past has been that banks were extremely worried about
> the formfill feature in browsers. To the extent that they would
> blocklist browsers that didn't honor autocomplete="off".
>
> Of course, that was a long time ago. Things might have changed. If
> nothing else, marketshares have changed. They would have a much harder
> time to blocklist Chrome or Firefox today then they did back then :-)
>
Moreover, the technology has changed. Back when this original debate
happened, we didn't live in a world where password managers existed (or at
least, they were no where as good as todays).

>
> But it would suck if the result is that they create their own form
> fields using <div>s and/or contenteditable.
>
That's true, although some things like that are already pretty prevalent so
we've come up with decent heuristics for detecting them. In the end,
though, they always can try obfuscation, but we think that this will, in
fact, benefit their users.

>
> Reaching out to banks might be good. Is that something you've looked at?
>
Yes, we're definitely doing that. From our perspective, we'd be happy with
making the switch today, but we're trying to be good netizens and (a) give
fair warning, and (b) make sure we're not missing something critical.

>
> And at minimum making a better implementation of form autocomplete
> sounds like a good thing. Sounds like you've done that. Though you
> might also want to make sure that the remembered username/password is
> stored in an encrypted form.
>
> / Jonas
>