A feature I really like in most web browsers, is the ability they have to “remember” my login and password for a given website. And I like the way Firefox does that, by displaying a non-intrusive notification bar at the top of the page while loading the page:
(I don’t like the way Safari does, by putting a modal window. So I have to already answer if I want to save my credentials before being sure that I entered the right ones)
I really like this feature for several reasons. I think it’s more secure than having to type my password. Some people may disagree, but to me, having that feature allows me to set a different password on every website I have an account on. Without that feature I will use the same password everywhere which is a very bad idea. If I use the same password everywhere, if somebody finds out what my password is, he will have access to all my accounts. And this is way much more easier than you may think:
- lots of websites does not do the login procedure on a secure connection so intercepting data is not that difficult, especially with non-secure WiFi / free WiFi access points
- lots of websites/companies store your password in plain text in their databases, so mostly anybody working in that company at some point in time may see your password (and I’m not kidding, I’ve seen that myself several times (If I was a bad guy, which I’m not by the way
, I would already be the owner of thousands of emails/logins/passwords))
An other reason why I think using the web browser’s password manager is more secure is because if at some point a malware installs a key-logger on your computer (which is not unusual on Windows computers), each time you type your password it’s a chance more for the key-logger to record it.
And of course, web browsers save your passwords in a crypted file (and not in a plain text file as some people do, which is also not really secure). To me, the biggest downside of this feature is that I can’t log in a lot of websites if I’m not using my computer because I don’t remember my passwords.
So there is something I really don’t like when surfing the web, is when I use websites where, for some reason, Firefox/Safari does not ask me to remember my password. Until recently I didn’t checked why, I was supposing that the login form was done in a way that web browsers did not recognized it as a login form (maybe because of an intensive use of javascript). But it looks like I was wrong on that, and that there are people stupid enough to call “feature” the ability of a website to prevent your web browsers to store your credentials.
From what I have seen so far, several web browsers disable the auto completion/password manager when the attribute autocomplete="off" is set on a form or input field. First of all: this attribute IS NOT STANDARD. It’s not part of any HTML/XHTML specification. It seems it was invented by Microsoft for Internet Explorer a long time ago (why bad ideas always come from the same guys? ).
There is a page on Mozilla’s developers website explaining how works the autocompletion and how to turn it off, and the page on autocompletion attribute on MSDN website.
The second point is: ok, Internet Explorer has this stupid feature, why other web browsers have also implemented it? The final decision has to be done by the user, not some manager of a website who thinks that he knows what you want better than you.
The only point I see where it may be useful, is that it also works for forms other than login forms. For login forms your web browser always ask you if you want it to store your login and passwords in a secure place. For other forms, the web browser remembers everything, in a place that may not be secure, and without asking you anything, which might be quite bad when filling a payment form with your credit card number. At this point, what would be useful, is a way to say to the web browsers that some data in the form are sensitive information (so the web browser may ask you if it should remember those data, and in that case put them in a secure place).
If you have followed until here, my point is: the autocomplete attribute sucks, it does not solve any problem and annoys me.
How to make those broken websites behave correctly again?
Several possibilities:
- use a web browser that does not understand the
autocomplete attribute (I don’t know which ones)
- if you are using an open source web browser that supports that attribute, remove the support from the sources, compile, enjoy (that’s one of the freedoms of open source)
- if you use Firefox, use Greasemonkey
First time I heard about Greasemonkey was several years ago, but for some reasons my neurons did not connect together at that time and I did not realized the power of this Firefox plugin, until I saw Paul’s demo at FOSDEM. Since then, I love that plugin. Simply said, this plugin allows you to fix websites 
. First thing I did after installing it was to fix my bank website, which was forbidding me to go straight to the login page and was also forcing me to open the login page in an other tab/window. Greasemonkey allowed me to fix that with one line of code (really only one line, and a simple one in that case). Greasemonkey also has a lot of user contributed scripts for several websites (from that I found one fixing the download links on Jamendo (in order to download directly the OGG Vorbis version of an album (which is not possible from the website) and without opening a stupid download window)).
Something I love, on the scripts website, is the following sentence, at the bottom of the website: “Because it’s your web”.
How to fix the autocomplete attribute with Greasemonkey? My first try, was with my company’s Outlook Web Access (yes, unfortunately there are some people/companies actually paying for that), and guess what? Somebody already did a script for that: Allow Browser To Save Outlook Web Access Password.
So I was wondering: “do I have to do a script on every website that use autocomplete="off"”? I ended up, a few minutes after, with that script (note: I don’t know javascript at all, any comments to improve this script is welcomed):
// ==UserScript==
// @name Turn ON autocompletion
// @namespace http://desgrange.net
// @include *
// ==/UserScript==
(function() {
function turnAutocompleteOn(element) {
if(element.hasAttribute('autocomplete')) {
element.setAttribute('autocomplete', 'on');
}
}
for(formKey in document.forms) {
turnAutocompleteOn(document.forms[formKey]);
}
var inputs = document.getElementsByTagName('input');
for(var i=0; i<inputs.length; i++) {
turnAutocompleteOn(inputs.item(i));
}
})();It’s a bit brutal, on every pages you visit, it looks for all forms and all input tags having the autocomplete attribute and set it to “on”. I don’t know how often this autocomplete attribute is used, so I don’t know yet the side effects of doing that on every pages (that’s why I have not put this script on http://userscripts.org yet).
