Topic: please use autocomplete="off" in the login form

Hi,
It would be nice to have the attribute: autocomplete="off" in the login form.
Some thing like:

<form autocomplete="off" ...

It prevent the browser from saving your user/password. This attribute is used in my sites like yahoo mail and hotmail.

Maybe it can be configured as an option.

Thanks
Oliver

http://tinymailto.com/oliversl <-- my email after a captcha

Re: please use autocomplete="off" in the login form

How many browsers support that attribute?

3 (edited by oliversl 2006-06-08 16:15)

Re: please use autocomplete="off" in the login form

All mayor: mozilla 1+, Firefox 1+, IE 5+
http://www.w3.org/Submission/web-forms2 … tocomplete

http://tinymailto.com/oliversl <-- my email after a captcha

Re: please use autocomplete="off" in the login form

nice, hmm... but it seems one need to put it on the text/password fields

applies to the text, password, select, textarea, date-related, time-related, numeric, email, and uri  controls

5 (edited by oliversl 2006-06-08 16:51)

Re: please use autocomplete="off" in the login form

If you put in the <form> tag, all fields of the form get the attribute too.
So there is no need to put in every form field.

Of course you can also use it only, for example, for the password field.

http://tinymailto.com/oliversl <-- my email after a captcha

6

Re: please use autocomplete="off" in the login form

The autocomplete attribute is invalid XHTML.  It shouldn't be too hard to mod PunBB to use it for those who want it, but I hope the core stays valid.

7

Re: please use autocomplete="off" in the login form

plus, some people (like me) just love autocompleting  fields because they are too stupid to remember all their passwords....

The German PunBB Site:
PunBB-forum.de

Re: please use autocomplete="off" in the login form

Tobi wrote:

plus, some people (like me) just love autocompleting  fields because they are too stupid to remember all their passwords....

+1 wink
or to lazzy to remind it wink

9

Re: please use autocomplete="off" in the login form

You can make it off in your browser, I like the autocomplete.

If your people come crazy, you will not need to your mind any more.

10

Re: please use autocomplete="off" in the login form

There is no chance of the the automcomplete attribute being added as a default. My attitude is that since this is browser feature rather than part of xhtml then it is up to people to set up their own browsers correctly. The only exception I would make are secure commerical sites where safety takes precedence over everything.

Re: please use autocomplete="off" in the login form

another feature, will be to allow users to login in public terminals.
Think about this, you check your punbb forum from a friends PC, while traveling, while in another work workstation, and your login info is compromised.

Firefox ask you every time to remember your password, but Internet Explorer no.

So, this feature should give a more secure aproach to punbb logins.

I agree, it can be disabled or disabled/enabled per user login (using a checkbox like "I'm using a public terminal"), thats perfect for me.

http://tinymailto.com/oliversl <-- my email after a captcha

Re: please use autocomplete="off" in the login form

So, lets look at this:

Pros:
- Browsers won't save login info. Ever.

Cons:
- Browsers won't save login info. Ever. Yes, that is a desired feature for some people. tongue
- the XHTML, a very important part of PunBB, would be invalid

I see this the same way I see the issue of opening links in a new window. PunBB could implement some javascript to do that. However, why should it? The user should have the option of where to view the link. Same thing here. The user should have the option to save their password if they so choose. They don't have to save it, there is no larger a security risk (because you have to accept a prompt to save your password), and it would not allow the user any choice.

Re: please use autocomplete="off" in the login form

I won't say the word "Ever".
This feature should be configured as:
- a site configuration, done by the admin
- a user configuration, done by a cookie and custom make login form

Either way, it is configurable.

Another way to look at this is:
- punbb configured as secure as posible: use a non xhtml attribute in favor to a secure installations (as done in bank, yahoo, hotmail, big-site-example.com, etc)
- punbb configured as user friendly: let the browser save the user/password of the login form

you have to decide how secure you want to provide punbb to your users ...

http://tinymailto.com/oliversl <-- my email after a captcha

Re: please use autocomplete="off" in the login form

You can decide that now: if you want it, add it in.
Most forums would rather give their users the ability to save their username/passwords over the need to keep them secure (after all, you shouldn't be storing sensitive banking details in a forum tongue). And if a forum wants to add it in, they can edit the file: there's no need to make it an option to configure and thus add more bloat to the software.
It's the same thing with the links in new windows. There are small mods out there to change the behavior. PunBB isn't going to implement them as an option because it's easier and simpler to not do it and let the user do it if they really feel they need it

Re: please use autocomplete="off" in the login form

Hi Smartys,
my point is that since IE is the most used browser, and it does not ask you to save your password, it might be insecure when people use IE in public terminals. thats all.

BTW, I use Firefox wink

http://tinymailto.com/oliversl <-- my email after a captcha

Re: please use autocomplete="off" in the login form

oliversl wrote:

Hi Smartys,
my point is that since IE is the most used browser, and it does not ask you to save your password, it might be insecure when people use IE in public terminals. thats all.

BTW, I use Firefox wink

Err, I just tested it: it asks me for every unqiue username/password I put in

Re: please use autocomplete="off" in the login form

Just a note, most users just click Yes in the "don't ask again" checkbox from the dialog window.

My only point is that most secure site uses this attribute, so it might be usefull to use it.

Smartys, I already know that you don't want to use this attribute, thats ok.

http://tinymailto.com/oliversl <-- my email after a captcha

18 (edited by Smartys 2006-06-13 17:27)

Re: please use autocomplete="off" in the login form

Choosing don't ask again disables the password saving.
And it's not that I don't want it, it's that this would break the XHTML and keep the user from having a choice. I know this will never become a part of PunBB (well, as much as anyone but Rickard can know), but that doesn't mean I won't still argue that it isn't necessary

Re: please use autocomplete="off" in the login form

Hi Smartys,
lets calm down a litle.

I understand your point about saving the passwords. No problem.

I edited my forum to support autocomplete=off, if anyone find it helpfull, they can read my first post and do the same.

http://tinymailto.com/oliversl <-- my email after a captcha

Re: please use autocomplete="off" in the login form

I am calm wink

Re: please use autocomplete="off" in the login form

wink

http://tinymailto.com/oliversl <-- my email after a captcha