Remove autocomplete in code for Opera Mini Browser

Question

Hey all

We have a mobile web based app at my company. Due to the nature of the application we do not want the browser on the users phone to prompt the user to save the passwords on the form a.k.a the autocomplete feature.

We managed to do that for IE and Firefox by setting the autocomplete tag to "off" but that doesnt seem to work for Opera mini (and i am guessing opera in general). I know user's can set it to off in their settings but for security reason we rather have it disabled?

Is there a workaround for this through code? the app is Java app using faces components based on an Jboss/Apache architecture.

Answer 1

In general, Opera lets the user configure whether it should respect autocomplete=off. On principle, users should be able to configure the password storage feature, and web sites should not be able to affect the configuration at a whim.

However, I can certainly see that for specific scenarios, like "send one-time passwords by SMS to the device Opera remembered the regular password on", this sucks. If you have stored password for a high-value site + use SMS one-time passwords as an "out of band" authentication, a lost phone becomes a major risk. The root of this problem is the assumption that an SMS constitutes "three-factor" authentication - if the stored login and the SMS is on the same device it's no longer "three-factor"..

It is tricky to try to leave users in control, while yielding to the web site when it's a really good idea to do so. Sadly, I think this is an unsolved question for now.

If you have a good use case for disabling password storage and are working on an important site, perhaps Opera Mini server admins could be persuaded to disable password manager on a site-specific basis? I don't know, but if you report it as a bug to Opera it would at least give the internal discussions some more momentum. Feel free to contact me with a reference to the bug report because I'm in a position where I could keep an eye on it ;-)