RE: Passsword managers and autocomplete='off' from Jonathan Bond-Caron on 2013-12-18 (public-webapps@w3.org from October to December 2013)

From: Jonathan Bond-Caron <jbondc@gdesolutions.com>
Date: Wed, 18 Dec 2013 16:09:09 +0000
To: Joel Weinberger <jww@chromium.org>, Maciej Stachowiak <mjs@apple.com>
CC: WebApps WG <public-webapps@w3.org>
Message-ID: <0a582fc3c5fa482cb5b6b7d5e0e89fe1@BN1PR07MB135.namprd07.prod.outlook.com>

>  On the other hand, if all browsers collectively chose to completely
> ignore autocomplete=off, that might allow proceeding more
> aggressively.
> Sure, and that's why we're bringing it up with the
> standards body. Before we proceed any further, we want to make sure that
> (a) our intention is known, and (b) make sure we're not missing anything
> critical. So far, the arguments in favor of autocomplete='off' are pretty
> much as we already understood them.
> 

Any legal perspective? Banks/financial sites may want autocomplete=off because the user is responsible for keeping his password safe.

What happens in the case of fraud? Is the password manager/browser liable? The bank? The user? Who gets sued?

That's probably the concern, maybe a liable="user" attribute with popup "hey by using auto-complete manager... do you agree to these risks, insert TOS here..." ?

Received on Wednesday, 18 December 2013 16:09:45 UTC