That's a misuse for the term "autocomplete" in my opinion. What he complains about is "autofill", not "autocomplete" as I understand it. Autocomplete takes the values you used previously and gives you suggestions for the stuff you're typing in yourself. Autofill tries to guess what values are required and fills them in without additional interactions.
You conflate autocompletion provided by the browser, based on values previously submitted in identically named fields, and autocompletion against values provided by the server.
I remeber noting with concern several years ago that Safari was blindly saving my credit card number along with all my other auto-fill data. Thing is, I recall observing that behavior stopping around Safari 4 or so – the browser appeared to be using something along the lines of the data detectors that put calendar links on times mentioned in emails, and saving everything but the credit card field.
Usually I agree that people will blindly click through, but I don't see people clicking through this[1]. Especially if Safari said it would auto-fill your credit card number and you weren't buying anything?
For me if I just enter my first name, then I get the small AutoFill popup with my contact card preselected, and just hit enter, it autofills without me seeing the full popup with the detailed info in it.
Isn't that like claiming individual permissions pop-ups are working just fine on mobile devices, because people are carefully and individually considering whether each given app needs each requested permission?
If some autofill feature starts training users to click "Ok, Ok, Ok, Ok, whatever, just Ok!" any time they sign up for some account or site feature, how long until masses are unwittingly sending along way more data than any sober assessment suggests they ought to and we're shrugging our shoulders and saying "well, the site asked..."
Firefox and the Mozilla Suite have had a very similar problem since at least 2005: it autofilled usernames and passwords, which creates a problem with XSS or user-generated content on the same domain. The bug was marked WONTFIX: https://bugzilla.mozilla.org/show_bug.cgi?id=280469
Strange, but for me Firefox does not auto-fill passwords, unless you provide a username (and of course, you opted into auto-filling). What did it do, as I don't understand? Did it automatically auto-fill password fields that happened to get loaded on the page?
You have to have an autofill set up with more information than just your name. You can tell if you have this set up because when the autofill choices show they will have your address etc in gray next to the choices you are auto-completing.
I just don't store credit card details in my browser. Auto-complete for emails is extremely handy and I use that all the time, but does purchasing things online really need to be any easier?
I don't mind reaching for my wallet there; it forces you to make a conscious decision to spend the money, which is at least slightly better than a 1-click impulse.
Credit card details are not the main concern here (because they are separated on Chrome), but you could send your address and phone number to a server without expecting to send more than your name or email address.
True and it takes what? 1 minute of typing? Do we really need to go faster than that? Of course, companies are all in favour, but it's not in our interest.
I dont see the problem all that was filled in was my name. The other fields were left blank. Even when I reentered it after the other fields popped up.
Should be easy to make a proof of concept page to scare people dumb enough to have credit card auto-complete.
Just make hidden form fields for every field name you can think of, then make some onload javascript to welcome them to the page with any fields that aren't empty.
You shouldn't call people dumb for following Google's instructions. I agree with you that storing CC details in a web browser is a bad idea, but we should take issue with Chrome here (and other browsers) not with regular "dumb" users.
I always disable all "auto" functions in any browser. Autocompete for forms and URLs, remember passwords, everything I can find a switch for I turn off. Makes the browser faster and I feel like I'm more in control of it.
Why is it good practice to use it on login fields? That just means your users will use weaker (easier to remember) passwords on your site instead of using random, unique ones stored in a password manager.
I've noticed with Firefox (17 ESR) that, having once used Firebug to delete the 'autocomplete="no"' attribute on a password field and then submitted the form, it's not necessary to do so again; in whatever heuristic Firefox uses to determine how to behave in that case, the existence of auto-completion data for the field apparently overrides the advice given by the attribute. For those leery of adding still more extensions to a Firefox profile already well larded with them, this may be useful information.
An attacker that can make use of an auto-completing password field has got enough access to mean that the game is over anyway - they can get that password from a variety of other sources on the machine.
Turning off autocomplete on login fields doesn't make that form more secure, and it does annoy users.
As kalleboo says, it probably reduces security as your users change to easy to type passwords, or keep needing password resets.
Sorry, there's a bit of misunderstanding here; I should have made it clearer. Password type fields shouldn't autocomplete on browsers anyway. The "good practice" I meant is for devs to set autocomplete off for the username field - to prevent the login username or email address popping up (especially if the site is accessed on public or shared computers).
That's just infuriating. You're choosing to break functionality that I rely on to help me log in to your website, and there's absolutely no reason to do so.
> especially if the site is accessed on public or shared computers
People setting up those computers need to learn how to provide clean sessions for their users, rather than relying on every single website in the world doing weird things in forms.
I'm sorry, I've never used autocomplete for a few privacy related reasons, and this was one of them... this seems obvious, to the point where I thought the title was written in a sarcastic 'duh' tone...
I figured not letting your (google especially) browser store personal details was pretty much common privacy/security sense at this point.
"Visible on screen" unfortunately is a hard thing to determine. You can easily imagine a textbox with white text on a white background, or a very small textbox, or a textbox that briefly pops up whenever you type a keystroke or click the mouse, or...
Browsers really need to support some mechanism where the user can determine precisely what information will be filled prior to it being handed over to the website. This needn't be difficult; Chrome's existing autofill popup already displays a subset of the information, the popup just needs to give a fuller picture.
----------------------------------------------------
| This webpage is asking for information that your |
| browser can automatically fill in for you. Check |
| the box next to each item you'd like to include. |
| |
| [x] Email address - bob@example.com |
| [ ] Name - Bob Jones |
| [ ] Address - 123 Sample Street |
| |
| [Autofill] [No thanks] |
----------------------------------------------------
I suspect this would be very difficult to implement robustly. There are just too many ways to hide something: color it white, overlay another element on top, use a weird font that causes it to look like something else, ...
This would not be hard to do. There are standard names for the auto complete form inputs. The browser (or plugin) could be configured to notify you if some/any of those fields are about to be posted and warn the user using a native code generated pop-up (not a web pop-up).
No, it's for everything, though it might sound that way. Add a user on the settings page, it'll open up the switching UI, no sign-in required. (unless they changed that recently, of course. but that would suck.)
I just tried 1password Safari integration with the test form[0] and it had the same problem as Safari's own autofill (it filled out the hidden fields).
They're very different mechanisms...