[whatwg] Password managers ignoring autocomplete='off' harming security

Hi All,

Over the past few months all the browser vendors have moved towards
ignoring autocomplete="off" with password fields. I understand the
rationale behind this, but in our software project this has lead to
the frustrating situation where we seem to have no good option to deal
with this and the change is actively harming the security of our

To outline the situation in broad terms:
* We have shared secrets on the page which we protect against shoulder
surfing by using the password element with autocomplete="off"
* The password managers are now all auto-filling these fields with
passwords on the same domain and in many cases without the user even
noticing (optional fields they wouldn't look at)
* The passwords then get stored in our shared-secret fields clear text
and available to all their peers
* This can then be used for privilege escalation etc

It seems like our only option is avoid use of password field at all
and invent our own 'fake' password field to protect our users
passwords from being exposed. That seems like a really disappointing

(Apologies in advance if this is completely off-list, I saw some
threads leading to this list and it wasn't clear to me if this sort of
discussion was acceptable).


Received on Wednesday, 1 October 2014 19:20:24 UTC