On Firefox:<p>1. Go to about:config<p>2. Right-click anywhere, New -> Boolean:<p>signon.overrideAutocomplete<p>Value: true<p>More info: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=425145" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=425145</a><p>EDIT: Based on the milestone set on that issue, this setting requires Firefox 29. Another workaround is this bookmarklet: <a href="https://www.squarefree.com/bookmarklets/forms.html#remember_password" rel="nofollow">https://www.squarefree.com/bookmarklets/forms.html#remember_...</a> referenced from comment <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=425145#c16" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=425145#c16</a>
I've run into the problem of web services not letting me store passwords. The reality is, if you let my password manager (safari jacks into OS X's keychain system) keep track of things, I'm going to use the random 12-digit alphanumeric password my password manager provides me. If you don't, I'm either going to use my shitty "brain" password or put it in my password manager anyway and just copy-paste it manually.<p>Thankfully, safari on both iOS and OS X has a toggle to ignore autocomplete=off, which I take advantage of liberally.
My biggest problem is with sites that don't let me copy/paste into the password field. WTF!? Who's the PHB that came up with this policy? <i>Despite</i> this misguided nannying, I still use randomly generated 22 character alphanumeric passwords, even if I have to open up the window in Keepass and manually type them in. Most people aren't as paranoid and anal as me, however. Whoever you are, you're basically encouraging people to use weak passwords.<p>Ironic, as it seems to be banks that are most often guilty of this.
> Please note that if you combine this policy and at the same time disable copy and paste into the password fields (I look at you, Blizzard!), I hate you.<p>oh man. disabling paste is the worst, because it breaks keypassx. (Apple did this last I checked!)<p>turbotax did that as well last year, this year they made it sane again. Luckily there's a firefox about:config setting you can do to not let websites hijack / block your clipboard events.
The first thing I install in a new browser is an adblocker. The second thing an addon that disables autocomplete=off.<p>Yes I'm lazy. But my laptop is encrypted and goes back to the login screen after 2 minutes of inactivity. To me autocomplete=off is just annoying and doesn't add any security.
I just use this bookmarklet to remove "autocomplete=off" from form elements:<p>javascript:(function(){var%20c=0;function%20R(w){try{var%20a,df,dfe,i,j,x,y,r=1;df=w.document.forms;for(i=0;x=df[i];++i){dfe=x.elements;if(a=x.onsubmit){a=""}if(a=x.attributes["autocomplete"]){if(a.value=="on"){c++}a.value="on"}for(j=0;y=dfe[j];++j){if(a=y.attributes["autocomplete"]){if(a.value=="on"){c++}a.value="on"}}}}catch(E){r=0}return%20r}R(self);var%20i,x;for(i=0;x=frames[i];++i)R(x);if(c){alert("Found:%20"+c)}})();
This drives some of our customers nuts because autocomplete has the annoying tendency in the most recent Safari of overwriting prepopulated fields - users end up losing configurations over this.<p>Otherwise I can see the benefit of ignoring the setting, perhaps, but we need consistent default behavior (chance would be a fine thing!). I don't want to be telling my customers that they should switch off autocomplete as a user shouldn't need to configure a browser to use a website!
The original article fails to take into account the larger population. The basic password managers in browsers are huge security holes. The one in FF does not use a master password by default, so anyone could look at an unattended computer and see all stored passwords with a few clicks. The article mentions an old JavaScript attack on the passwords as well (but then dismisses the threat, since that one hole was patched).<p>So the problem really is that the browsers pushed insecure features out to the masses, and many people adopted them. The number of people in the general population who use a password manager is low (obviously it is high here on HN). So think of the autocomplete=off flag as a flag to make sure you are using a competent password manager, one that recognizes the problem and then overrides the flag. Sounds like Safari and IE 11 are already doing that, so hopefully they fixed the problems of the early password managers.
This article uses "password managers" ambiguously. In my opinion, a browser is a terrible password manager because of what is stated in the "pros" section of the article. My advice aligns with others who have replied here - get a real password manager such as 1password and allow autocomplete="off" to do what it is supposed to do.
The issue may be moot--IE 11 ignores autocomplete=off.<p>And in any case, for the cases where this setting is effective, it doesn't <i>break</i> password managers--just set your password manager to not fill the fields, but use copy and paste for the password.<p>[Edit - spelling]
> Tell me how I am supposed to fulfill these requirements if I need 20 websites daily to do my work ?<p>One solution to this problem (or at least one way to severely mitigate it) is to use a base word that you tweak with a simple algorithm based on the first letter, last letter, number of letters in the domain, etc. Of course some websites have mutually exclusive requirements, so this doesn't work for all sites, but I've been doing this for so many years now that while I have muscle memory for frequently used sites, I can go to a site I haven't been to in years and have no memory of the actual characters in the password, but I apply my algorithm and voila, it works!
I don't think I've run into a situation where LastPass has been unable to auto-fill a form. Is this a feature of LastPass, or have I just not gone to sites that disallow autocomplete?
1password makes this never be an issue for me. ⌘+/ to log into anything with one stroke, unless I have multiple accounts for the site, in which case it's a couple of extra clicks.
I'm going to go with Bruce Schneier on this one and say that there is absolutely nothing wrong with writing your passwords down. If someone mugs me and takes my wallet there is a 99% chance they are going to get the phone too and I'll need to change all my passwords anyway.<p>Not letting the browser cache them is still dumb though.
Could you not run an analysis of a user's password on account creation or password reset that determines if it is likely to be autogenerated and managed by a password manager. Then armed with this flag enable or disable autocomplete on a user by user basis with javascript?
Someone was showing me Capital One 360 (formerly ING), which uses an onscreen PIN pad that you either have to click with your mouse, or type using a randomly generated mapping. The idea is to thwart keystroke loggers, but it's totally infuriating.
How does it break password managers? Does it prevent them from auto-filling in or auto-saving the password? I use passpack and enter/retrieve my credentials manually and so don't experience this and appreciate autocomplete=off.
Only slightly related, but I really wish GitHub would add autocomplete=off on the language selection dropdown for Gist. If you make your own autocomplete UI, I would prefer that you disable the browser UI.
I use:<p><a href="https://addons.mozilla.org/en-US/firefox/addon/remember-passwords/" rel="nofollow">https://addons.mozilla.org/en-US/firefox/addon/remember-pass...</a><p>It's heavenly.
I used to use Chrome as my second browser, where I'd keep my work gmail account up.<p>Recently it started to no longer save my password, even with an autocomplete=on plugin installed that works on other sites. That was my catalyst for uninstalling Chrome altogether and moving to Firefox for everything.
Right, this isn't what autocomplete=off is for. It's for fields where correcting the user's input to dictionary words is of negative utility, for example, typing stock tickers should not correct "aapl" to "apple".