Google Site Search


Thursday, February 28, 2008

Should you disable saving passwords in your browser?

Majority of the free as well as commercial browsers have a password saving feature. Of course without this, our lives would not have been so much fun. We would be scampering to remember passwords or used one of our notebooks to jot down all the fun user ids and passwords for the one thousand and counting web sites we visit on a regular basis.

One of MIT's online articles here talks about when one should never store passwords in the browser (right, I am talking about the auto-fill feature that is your favorite).

Information Services and Technology recommends that you do not save passwords with your browser for sites which have:

* private information about you or someone else (e.g., medical records)
* private financial information (e.g., credit card numbers)
* private correspondence (e.g., e-mail)

For example, you should never save the passwords for your accounts with:

* Fidelity NetBenefits
* MIT Federal Credit Union, or your bank
* MIT WebMail

If you do save passwords for these types of sites, you put yourself at risk.

There is a non-standard feature to hint the browser to not do auto complete for certain fields as in:

<input type="text" name="Credit Card Number" autocomplete="off" />

Browsers like IE, Firefox (and probably Opera also) honor this.

* Using this attribute breaks the xhtml rules. So your page will not be xhtml compliant.

One of the security developers at Mozilla has basically said the following:
We respect it sufficiently that there are several popular bookmarklets/greasemonkey scripts out there that remove this attribute from sites when they find it. People really like their password fillers.

I do hope that this attribute gets into the HTML5 specification and becomes a standard web authoring practice for Banks, Financial Institutions and other secure online sites. Oh, wait. Also Paypal....

UPDATE: If you look at the comments on this post, I have been told that "autocomplete=off" is a valid attribute in HTML5. So that is good. But it remains to be seen how soon banks, financial institutions and health care services will adapt HTML5 or start using this attribute (shouldn't they already be doing this?).


Hixie said...

autocomplete="off" is part of HTML5:

Anonymous said...

Don't have your browser save your passwords. Instead, use only one password for everything, and make sure it's easy to remember, like a short dictionary word or a blank string.

But really, isn't this similar to the Keyring used by NetworkManager? Always thought it odd that if I allow a friend to get online, he's also got access to my VPNs implicitly.

What's the point of having many passwords if you're just going to aggregate them behind one master key anyway?