Comments on: Turn On Autocomplete

By: Dentaku

Dentaku — Wed, 12 Dec 2007 11:16:38 +0000

I agree with Hoogla Boogla. The realistic fact is, that most users don’t know about the features of browsers. Most havent’ heard about cookies or history. They don’t understand why sometimes URLs/Names appear in a selection box and sometimes not.

For this reason, security must be defined from the standpoint of “dumb” (sorry…) users. Other users know enough how to configure their software to increase security. Security must be fool proof.

I think of another way to have secure passwords: changing passwords! There would be an algorithm how to create the password with operands oly known to the user. This way, traced passwords/keystrokes are invaluable as those passwords can’t be used a second time. It’s like a transaction number but with the algorithm and operands being easy enough for the user to remember. E.g. “dayOfWeek * monthOfBirth + ‘Hello’ “

By: Hoogla Boogla

Hoogla Boogla — Mon, 19 Nov 2007 14:55:36 +0000

I definitely consider username/password autocomplete a security risk. While you are right, that browsers provide options to clear caches, password stores and the like, most users don’t know how to find the right buttons. Even if you have a “this is a public computer”-checkbox, there will be (a lot of) users who are like “oh no, it’s not public, it’s in my classroom/library/whatever”.

Hoogla Boogla

By: Gaurav

Gaurav — Mon, 01 Oct 2007 01:14:21 +0000

I agree that forcing autocomplete off decreases security by forcing users to use fewer passwords.

I’m reminded of a story by one of the authors (IIRC - Dan Farmer) of Crack (the /etc/passwd brute force cracking program) - the author added the plaintext password file from a MUD site he ran to his dictionary file at a company he was the sysadmin … on the first pass Crack guessed the root password!

Also some machines e.g IBM/Lenovo Thinkpads are equipped with Fingerprint Readers+Software that fill in login forms (after a simple swipe of the finger) … even if the HTML requests Autocomplete Off - technically though this isn’t Autocomplete as it requires the user to swipe their finger. Also the IBM/Lenovo password manager isn’t restricted to only Web Forms - it supports Windows/NTLM, HTTP, VNC and other Login prompts as well.

By: James Orenchak

James Orenchak — Sun, 30 Sep 2007 15:17:38 +0000

As long as the web site isn’t handling transactions, such as Amazon or the home banking web site I use, I see no problem with autocompleting user names and passwords. The trade off is between a hacker stealing the user names and passwords saved by the browser from your pc and someone looking over your shoulder or stealing your user name and password you type in somewhere between the keyboard and the webserver.

By: Subbu Allamaraju

Subbu Allamaraju — Fri, 28 Sep 2007 17:42:36 +0000

I agree with your argument that autocomplete is not necessarily a security risk, and it is often a poor choice on the part of web masters and web app developers to disable autocomplete (or to even null-out text fields using JavaScript) assuming that it increases security. It does not.

By: Viswanath

Viswanath — Fri, 28 Sep 2007 16:01:03 +0000

How about the case of forgotten passwords, simply because the browser remembered a ton of them, one for each site, but finally
- my PC crashed
- new version of the browser didn’t faithfully copy
- I needed to badly access the site from a different PC

By: Elliotte Rusty Harold

Elliotte Rusty Harold — Fri, 28 Sep 2007 10:20:50 +0000

It’s a little like trying to push the bubble out of a carpet. You can knock it down one place, but then it shows up somewhere else.

Assuming the browser uses strong encryption and secure coding practices, I’m not too worried about a trojan stealing the file. I am worried that reuse of passwords on multiple sites enables a hacker who gets to one site’s often unencrypted password database to then trivially guess the password for different sites. I don’t want Joe’s Autoshop to have access to my Amazon password. However if I can’t store the passwords in the browser, I use many fewer different passwords. These days almost every site or system I connect to has a unique password, but that didn’t use to be the case before browsers started autofilling passwords. It was just too much trouble to remember them all.

By: Michaelk

Michaelk — Tue, 25 Sep 2007 23:55:16 +0000

>That is, autocompleting usernames and passwords definitely increases accessibility and usually increases security.

Yes, it really helps with accessibility, but therein lies a security risk- a virus could be able to get the files containing the autocomplete information, send it to its creator, and then be decrypted.

By: FranÃ§ois Beausoleil

FranÃ§ois Beausoleil — Tue, 25 Sep 2007 15:57:10 +0000

This is nice if you’re building a website, but a web application is another matter entirely. I am specifically talking about admin interfaces, or CRM+ERP built using web interfaces.