When to disable "save password" functionality on your login form?

Question

I have a public-facing website that is used to manage business infrastructure equipment for my clients. A security breach on this website could cause expensive problems for clients.

A number of different websites--mostly banks, health care, and government--disable the "save password" dialog from appearing in Firefox, IE, and other browsers citing security concerns. I'm talking about the box/bar that appears after you enter your login information, so the browser can auto-populate the username/password fields for you the next time your visit that site.

My question is not how to disable, because that is answered in the Disable browser 'Save Password' functionality question.

What I want to know is:

• What are some cases in which it is absolutely essential to disable "save password" functionality? Do such cases exist?
• Does this technique really provide any additional security? In other words, won't people find a way to leak their passwords despite your best efforts?
• Do users complain about removal of "save password" functionality?
• Any other thoughts on when to disable "save password" functionality?

Answer 1

Question is, in what cases does it help when you don't allow saving passwords

• Someone breaks into your home, gets access to your PC, visits the site and now has access - uhm, somehow abstract idea
• You loose your Notebook/Netbook, someone finds it, cracks your password (hopefully you have one in your Whateverbook), browses to the site and has access

Both are more by chance than anything else. Someone who wants to get access to an account will use spyware like keylogger. But when there is a keylogger on your PC, disabling the save-password-feature would'n help anything.

Do users complain about removal of "save password" functionality?

Yes, absolutely. Users never like it to be domineed.

Answer 2

I complain about it ;-) I was actually just thinking about this today because my online banking site disables password autocompletion and it's really irritating.

While not a majority of computer users, there are plenty of people who know how to manage their passwords securely, and for them it's really irritating when websites disable the password field autocompletion because it means they need to do something like, say, writing the password down, or picking a simple one that's easy to remember - neither of which makes them happy, because as I said, these are people who take password security seriously. Using a browser's password manager is pretty much the best compromise between security and convenience we have. And the annoying part is, if a website tries to disable autocompletion there's no easy way to tell some browsers to ignore that. (In Firefox it requires hacking some Javascript file)

This also ties into the thing Joel once wrote about how users, erm, people like to be in control of their environment. They're much less likely to use (or at least like) a program or website that takes it upon itself to decide that they can't be trusted with a password manager.

Answer 3

1) "What are some cases in which it is absolutely essential to disable "save password" functionality? Do such cases exist?"

There is no well defined general rule as such. It totally depends on the the kind of services that are provided to the user and their relative importance. For example, net banking web sites have this funtionality disabled whereas a normal web-based email site or a online discussion forum would rather leave the save password feature tuned on. It all depends on what you are offering to the user and it's relative importance.

2) "Does this technique really provide any additional security? In other words, won't people find a way to leak their passwords despite your best efforts?"

Yes. This technique at least blocks off one possible way of password stealth. But, it does not guarantee no password stealth in any sense. From the most trivial ways of password stealth, to keyloggers that capture key strokes, to even bruteforce mechanisms or to even phishing sites that resemble your web site, the routes of password stealth still remain open. You are just blocking off one of the ways thats it.

3) Do users complain about removal of "save password" functionality?

Depends on the user really. Some who realise the the importance of the save password feature being disabled would not complain about it anyway. And those who are just lazy to re-enter the credentials everytime should not be worried about. Afterall, user security is privacy is much more important than user frustration because we are dealing with important data here and we disable the save password feature for the good of the user only.

4) Any other thoughts on when to disable "save password" functionality?

This again is like question 1). It all depends on the importance and the aftermath/cost to pay of loosing the password.

Answer 4

You need to do some basic risk assessment :

• How critical your application is?

If it's an online banking application risking a client loosing their investments because they used a public computer or their notebook nicked, this is not a good idea, so disable it.

Security vs. Usability is not an easy battle you need to do some sacrifices. But also if you've got two factor authentication you might not disable it because only that password wouldn't be enough to transfer money or doing other dodgy stuff.

• How frequently used?

If this is a web-mail or a service like twitter just enable it. Otherwise you'll piss off so many people.

I don't like web sites those disable it, because I know what to save, what not to save and the risk I'm taking. However normal users wouldn't, therefore you should do the hard decision for them.

Also there are other non-obvious risks you need to consider:

• Publicly used computers
• Old HDDs in Ebay
• After an exploitation all attackers will look this data first, because they know it's a good loot.
• There have been client-side attacks / weakness released only focused on auto-completed passwords and usernames.

Answer 5

I know that especially in the US, bank security is lax. Bank sites shouldn't even use password protection, as it completely fails to protect against even simple keyloggers.

Answer 6

I would never disable password saving. You are just as likely to increase the risk as to decrease it. Example:

1. User logs into your website for the first time, and manually enters their password
2. User visits a malicious site, which installs a keylogger
3. User visits your site again, enters the password again, keylogger sends user's password to the thief.

If the user had saved their password instead, they would not have had to type it again in step 3, and so the keylogger could not have been used to steal it.

Answer 7

I've just run into this from the other end (having to disable the "save password" functionality) and for us, it's an audit issue. Some audit frameworks view this as a security issue (person A has certain rights into an application [web-based], they save their credentials into the browser, person B gets into the application using person A's account because person A walked away from their computer without locking it).

This isn't to say that there should be other controls in place (forcing Windows to lock, etc), but that there are sometimes "valid" reasons for why some websites don't allow you to save your password.