tags:

views:

64

answers:

3
+1  Q: 

What scuppers a browser's 'remember login' logic?

For web sites that have username/password text input fields, the browser usually handily offers to remember them for you (in my case, Safari puts them in my OS X keychain).

This simply does not happen with certain web sites. The first example that comes to mind is vBulletin forums. Meaning you can't use a complex/random password unless you're willing to copy and paste it from somewhere each time.

Are browsers detecting when to offer to remember these by "does this look like a username/password" heuristics and failing sometimes?

How does this work behind the scenes?

Edit: Fellow Safari users, check out this combo:

http://8-p.info/greasekit/

http://userscripts.org/scripts/show/8021

http://userscripts.org/scripts/show/28696

+1  A: 

There's an 'autocomplete="off"' attribute on form (not officially in HTML4, but generally supported).

Matthew Wilson  2010-01-20 10:21:33
Why on earth would a web developer include that on their username/password form? It's taking a personal decision out of the user's hands.
frou  2010-01-20 10:28:18
Banking sites are very keen on it - they don't want to trust the security of the user's PC to store sensitive data.
Matthew Wilson  2010-01-20 10:35:53
Are they going to send some heavies round to rip the post-it-note off the bottom of ma's monitor?
frou  2010-01-20 10:50:09
+1  A: 

You could use <FORM METHOD="post" ACTION="action.cgi" AUTOCOMPLETE="off"> but this only works in IE I think.

You could also use a random string for the password field ID so that the browser cannot be sure that a previously entered password is authenticating the same page this time round.

Another strategy would be to not use type="password" as the browser uses this to identify a field as a password - however, this is not a good idea as the password would not be blanked out when the user types it into the form. Any javascript to emulate this would not be executed if JS was disabled.

I think using the first two techniques would probably be as good a solution as is possible without resorting to advising your users to not allow the browser to store passwords.

Richard  2010-01-20 10:21:49
I don't want to perpetuate it, I want to kill this practice! :-)
frou  2010-01-20 10:47:52
I would agree with you that it is bad practice. Just exploring the methods used to achieve it.
Richard  2010-01-20 11:35:21
+1  A: 

Try this:

<form id="loginForm" action="login.cgi" method="post" autocomplete="off">
Anton Gogolev  2010-01-20 10:22:30

related questions

Make Browser Window Blink in Task Bar
Large File Download
Browser's Default CSS
Disable browser 'Save Password' functionality
What's the simplest way to decremement a date in Javascript by 1 day?
Browser scrollbar
Limitations of screen readers.
Version detection with Silverlight
Best way to fix CSS/JS drop-down problem in IE7 when page includes Google Map
Recommendations for browser add-on tools to help with development
Hyperlinks displaced on IE7
Building Standalone Applications in JavaScript
HTML differences between browsers
Browser Sync accross many machines
Getting selected text in a browser, cross-platform.
How to get PNG transparency working in browsers that don't natively support it?
Best WYSIWYG CSS editor?
Javascript events
Preferred way to use favicons?
IE6: To support or not to support.
Getting the text from a drop-down box
Other browsers
Drag and Drop to a hosted Browser control
How can I tell if a web client is blocking ads?
How can I determine a web user's time zone?