1

For web sites that have username/password text input fields, the browser usually handily offers to remember them for you (in my case, Safari puts them in my OS X keychain).

This simply does not happen with certain web sites. The first example that comes to mind is vBulletin forums. Meaning you can't use a complex/random password unless you're willing to copy and paste it from somewhere each time.

Are browsers detecting when to offer to remember these by "does this look like a username/password" heuristics and failing sometimes?

How does this work behind the scenes?

Edit: Fellow Safari users, check out this combo:

http://8-p.info/greasekit/

http://userscripts.org/scripts/show/8021

http://userscripts.org/scripts/show/28696

xyz
  • 25,370
  • 28
  • 99
  • 125

3 Answers3

1

There's an 'autocomplete="off"' attribute on form (not officially in HTML4, but generally supported).

Matthew Wilson
  • 3,723
  • 18
  • 13
  • 1
    Why on earth would a web developer include that on their username/password form? It's taking a personal decision out of the user's hands. – xyz Jan 20 '10 at 10:28
  • 1
    Banking sites are very keen on it - they don't want to trust the security of the user's PC to store sensitive data. – Matthew Wilson Jan 20 '10 at 10:35
  • Are they going to send some heavies round to rip the post-it-note off the bottom of ma's monitor? – xyz Jan 20 '10 at 10:50
1

You could use <FORM METHOD="post" ACTION="action.cgi" AUTOCOMPLETE="off"> but this only works in IE I think.

You could also use a random string for the password field ID so that the browser cannot be sure that a previously entered password is authenticating the same page this time round.

Another strategy would be to not use type="password" as the browser uses this to identify a field as a password - however, this is not a good idea as the password would not be blanked out when the user types it into the form. Any javascript to emulate this would not be executed if JS was disabled.

I think using the first two techniques would probably be as good a solution as is possible without resorting to advising your users to not allow the browser to store passwords.

Richard
  • 780
  • 5
  • 25
1

Try this:

<form id="loginForm" action="login.cgi" method="post" autocomplete="off">
Community
  • 1
  • 1
Anton Gogolev
  • 107,051
  • 37
  • 191
  • 278