What are your thoughts about this issue in regards to an e-commerce environment?
Do you think it is wise to turn autocomplete off on all sensitive input fields such as passwords (for log-in areas), or will this just inconvenience the client?
+1
A:
Unless it is a highly-secure site, I would tend to leave autocomplete on. If it is for a password field, the browser will prompt the user if they want to save the information, at which point the user can make their own decision.
Justin Ethier
2010-06-14 20:40:54
+12
A:
I hate websites that do that. It is the client's decision if they want to save passwords or not. What is particularly irksome is that this attribute breaks OS X's native KeyChain support. So, even though the user has stored his password in a secure file, and authorized themselves and the application to use it, the website still thinks it knows better. Just plain annoying.
jsumners
2010-06-14 20:42:37
+1 for typing it for me.
Aaron Harun
2010-06-14 20:43:55
+1. I'll accept it for CC# fields and for logging into my bank's website, but for most anything else it's just really annoying.
afrazier
2010-06-18 01:40:30
there are plugins that can turn it on again, the purpose is that user think what he want to write in that field and not just select stuff he already entered. plus saving password on every browser you use for business is a bad idea.
01
2010-06-20 14:33:47
Again, it is up to the _user_ to make that decision. I consider this tantamount to resizing the browser window or trying to disable the context menu. It is not the web site's place to screw with the client's software.
jsumners
2010-06-21 12:35:39
A:
It depends what you mean by e-commerce. In Internet banking you should disable autocomplete. In online shopping - not necessarily.
It's worth remembering that autocomplete does not force remembering passwords. User has to agree to store their credentials, so they always can reject.
el.pescado
2010-06-14 20:42:38
I'd actually prefer the other way. With internet banking, I rarely enter anything critical like a credit card number. I enter it all the time with e-commerce.
ceejayoz
2010-06-14 20:49:20
PS. Credit card number field is a sensitive field. Login/password for an online store IMO are not sensitive fields.
el.pescado
2010-06-14 21:05:11
+3
A:
I really dislike that when I start to type in my credit card number and it lists all of the numbers I have used in the past, as well as the 3 digit code. Not cool IMO.
Rob Goodwin
2010-06-14 20:45:24
The page authors should set this, but there should be a way to specify "don't save the contents of stuff I enter on secure pages" and if there is...WHERE IS IT? :D
Broam
2010-06-14 20:46:48
You must think its really cool when spyware digs though the cache and swiped your ccn.
Rook
2010-06-15 06:22:24
A:
I concur. By habit, I leave autocomplete on. However, there was a project for the air force I was working on that had a requirement to disble autocomplete. Really depends on your requirements.
Andy Evans
2010-06-14 20:46:40
A:
I actually don't think i've ever seen "autocomplete" work on a password field.
Autocomplete(when you start typing something in a form field, and the browser popups up a list of suggestions), and asking the browser to remember your user name and password are two different things.
If you're talking about the browser feature that remembers your username and password, i'm not aware of a way for you to disable that on the user's machine.
MiguelR
2010-06-14 20:49:12
At least in Safari on OS X, where usernames and passwords are stored in the system KeyChain by default, setting `autocomplete="off"` on a login form will prevent autofill. An example is searscard.com.
jsumners
2010-06-14 20:54:29
A:
I use password/form managers like 1Password and RoboForm specifically to get around websites that disable autocomplete; these add-ons typically ignore the website's preferences in favor of their own more sophisticated logic.
Craig Walker
2010-06-14 20:49:14
+4
A:
An eCommerce application I worked on several years ago underwent a security audit and one of their recommendations was to disable autocomplete for sensitive fields.
It wasn't a strict requirement, but it probably will be at some point, given how eCommerce standards are these days..
Damien Dennehy
2010-06-14 20:52:39
+1 I have also seen this and I agree that some data should not be stored, such as CCNs.
Rook
2010-06-15 06:23:07
A:
standard industry best practice is to turn autocomplete off for password fields, but leave it on for username fields.
Bachrach44
2010-06-17 01:39:41
A:
Most e-commerce sites disable autocomplete for credit card fields. They store and redisplay the info when an authenticated user returns, then only require the user to re-enter the CVV. This way the site gets users to sign up (otherwise, they'd have to re-enter the full CC info every time), keeps the CC info masked on subsequent visits, and only burdens the user with entering a three-digit number. (It's also a small way of building secure practice around CC numbers so users will hopefully be more protective of them.)
Keep in mind that setting autocomplete on/off only addresses confidentiality of data for shared environments, i.e. more than one person accesses the same browser. For example, if your app were intended for a classroom, then it would make more sense to disable autocomplete entirely since the app will be re-used in the same browser by many different people.
Consider it an (in)convenience feature, not a security feature. You can't protect users from every dumb mistake when sharing browsers (like not logging out) and, to be nicer to dumb users, it won't have any bearing on client-side attacks like keyloggers. If the shared environment isn't secure, then your app can't do much to protect its users.
Mike
2010-06-18 00:54:24
A:
Autocomplete should be turned off.
I understand you may not like it. Now, consider that an attacker gains access to your account due to this shortcut. Yes, your account is compromised, but the company's web application is also compromised. This opens the door for other, deeper, attacks, such as stored XSS, etc.
So sure, its an inconvenience for you, but its a protective measure for the company.
Willi Ballenthin
2010-06-18 01:04:52