Internet > Web Hosting & Web Design
browsers offering to save login details - how to properly stop this
chenks:
it seems every browser nowadays wants to "help" the user by prompting to save the username and password when logging into a website.
great for the lazy end-user, but bad for forcing people to actually log in properly each time, and bad for enforcing password changes when the end-user forgets their password because the browser is entering it for them.
we have some website here where we are enforcing regular password changes, and due to the end-user happily clicking "yes" when chrome asks them to save the details it means every 30 days the end-user not remembering the password they chose.
so i've been looking at some code to try and block the browser prompting this. it seems that the original method of "autocomplete=off" is no longer correctly honoured by "modern" browsers, most simpy ignore it.
so a method i saw was the hide the real form fields so the browser didn't see them a a login attempt, and the method i saw and tried works with Chrome, Opera and internet explorer, but not sodding Firefox!!
--- Code: ---<input type="text" id="username" name="username"/>
<input type="password" id="password" name="password"/>
<form id="theForm" action="/your/login" method="post">
<input type="hidden" id="hiddenUsername" name="username"/>
<input type="hidden" id="hiddenPassword" name="password"/>
<input type="submit" value="Login"/>
</form>
<script type="text/javascript" language="JavaScript">
$("#theForm").submit(function() {
$("#hiddenUsername").val($("#username").val());
$("#hiddenPassword").val($("#password").val());
});
$("#username,#password").keypress(function(e) {
if (e.which == 13) {
$("#theForm").submit();
}
});
</script>
--- End code ---
also, this method appears to shows the actuall password text in the browser.
so has anyone come up with a solid method that works in all browsers that doesn't result in weaker security?
Chrysalis:
First thing I will say is practices like forcing password changes has proven to be a false economy in turns of security, you get situations like users rotating two passwords and it makes it more likely someone will use a weak password. In addition blocking people saving passwords has also proven a false economy, again it encourages weak passwords to be used if you are having to manually type it in. This is a big reason why chrome developers now have blocked websites from blocking password auto filling. If you also block copy and paste in password field's I suggest you stop that behaviour as well as thats another policy that encourages the use of weak passwords.
With that said I dont let my browser remember passwords for sensitive stuff like banking, however the banks are sensible that they dont enforce false economy practices such as regular password updates and preventing copy and paste.
I dont know the answer to your query other than to use drop down letter selections, that will stop it, but also make it a pain to input all the characters. However what you could do is make it ask for say four random characters, some banks do this, so e.g. characters 3,6,11,17 from the password selectable in drop down selections.
broadstairs:
I must admit it does frustrate me when on the odd occasion a website does funny things with login pages. I dont see that allowing browsers to remember passwords is an issue. Firefox will prompt a user to update a password if the login details change. I try to use a different password for every login and the only other way to remember this would be to write them down which is a really daft thing to get users to do. Using a password manager of some sort is quite secure especially if it save the details encrypted.
Stuart
chenks:
the problem we are having is this.
we enforce a 30 day password reset/renewal - the password strength needs to be high (it doesn't allow a weak password to be used).
browsers saving the passwords kind of defeats the purpose of having one in the first place if someone who gains access to a desktop can then just load the page and have the browser auto fill in the security details. it also results in the user not remebering/knowing what their password is, so when they move computer or have to change it they end up having no idea what their password is currently.
Chrysalis:
forgot password button solves the second problem.
For your other issue I would stop stressing over saved passwords and just add proper 2FA. Not to mention the other solution I proposed would also work.
Navigation
[0] Message Index
[#] Next page
Go to full version