Re: Passsword managers and autocomplete='off'

On Thu, Dec 12, 2013 at 1:57 PM, Jonas Sicking <jonas@sicking.cc> wrote:

> On Thu, Dec 12, 2013 at 1:45 PM, Joel Weinberger <jww@chromium.org> wrote:
> >> But it would suck if the result is that they create their own form
> >> fields using <div>s and/or contenteditable.
> >
> > That's true, although some things like that are already pretty prevalent
> so
> > we've come up with decent heuristics for detecting them. In the end,
> though,
> > they always can try obfuscation, but we think that this will, in fact,
> > benefit their users.
>
> Whether it benefits users or not is unfortunately less relevant than
> whether websites thinks that it benefits users. Since if they don't
> think it does, we'll end up in an escalating war of browsers and
> websites working around each other.
>
I'm not sure if I entirely agree. This is a feature (or anti-feature,
depending on your perspective :-) that has been touted as "good security"
for quite some time (in fact, the W3C spec specifically calls it out in
that regard).

I have some hope, perhaps misplaced, that if we change it and say, "hey,
this is actually really bad for users," at least some developers will get
it. Some won't, and they'll obfuscate, but any improvement in the number of
people who are able to use password managers is a Good Thing.

>
> >> Reaching out to banks might be good. Is that something you've looked at?
> >
> > Yes, we're definitely doing that. From our perspective, we'd be happy
> with
> > making the switch today, but we're trying to be good netizens and (a)
> give
> > fair warning, and (b) make sure we're not missing something critical.
>
> I'd be very interested in hearing what feedback you get. If we knew
> that banks were onboard with whatever is proposed, that would
> definitely make us more comfortable with deploying the same solution.
>
> / Jonas
>