Re: Passsword managers and autocomplete='off'

On Wed, Dec 18, 2013 at 8:09 AM, Jonathan Bond-Caron <
jbondc@gdesolutions.com> wrote:

> >       On the other hand, if all browsers collectively chose to completely
> > ignore autocomplete=off, that might allow proceeding more
> > aggressively.
> > Sure, and that's why we're bringing it up with the
> > standards body. Before we proceed any further, we want to make sure that
> > (a) our intention is known, and (b) make sure we're not missing anything
> > critical. So far, the arguments in favor of autocomplete='off' are pretty
> > much as we already understood them.
> >
>
> Any legal perspective? Banks/financial sites may want autocomplete=off
> because the user is responsible for keeping his password safe.
>
It is already the case that users often use other mechanisms for recording
passwords (e.g. text files, pen and paper, third party password managers),
and we certainly do not force the password manager of users. That having
been said, we haven't heard from the banks yet.

>
> What happens in the case of fraud? Is the password manager/browser liable?
> The bank? The user? Who gets sued?
>
> That's probably the concern, maybe a liable="user" attribute with popup
> "hey by using auto-complete manager... do you agree to these risks, insert
> TOS here..." ?
>
I doubt we would go the ToS route; we generally encourage features to be
less wordy.

Received on Wednesday, 18 December 2013 20:15:11 UTC