How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?
-
Example:
Since the Gmail Routing fields are empty, Google Chrome helpfully puts in my NodeBB username and password. If I accidentally submit the form without deleting that data, my forum password is now stored unencrypted in the forum database and other admins can see my forum password.
Is there some standardized markup for "instead of using the default username/password you have saved for this site, here's a string that will help you identify this set of fields so you can save the password separately if you really want to" or something similar?
-
@ben_lubar For HTML5,
input
elements supportautocomplete="off"
However:
User agents would have to use heuristics to decide what autocompletion values to suggest.
And as far as I know, most of the time they match based on
input
names. Of course, changing those will break the form.
-
Isn't there some way to integrate with the API that Google has that would open the actual Google account selection/login page, allow the user to authenticate the connection to NodeBB, and return an authentication token that it can use to connect on their behalf? That would sidestep the whole issue, since then the login page is Google's page and if the browser has credentials stored for it they'd be the correct credentials, i.e. the Google account rather than the NodeBB account.
-
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
my forum password is now stored unencrypted in the forum database and other admins can see my forum password.
maybe passwords shouldn't be stored in plaintext even if they're for another site? Just a thought.
-
@powerlord said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
For HTML5, input elements support autocomplete="off"
Insert rant about how dipshits abused this feature for "security", which is why browsers now ignore it.
-
On a tangential note, if you made it do some (rudimentary -- I don't want to get into the "how to validate emails" debate here) validation on the email address field, it wouldn't let you submit the form with that because "ben_lubar" wouldn't be a valid email address.
-
@anotherusername Ok, ignore the email example. Here's a different one:
I click "Create Credential" in BuildMaster. I select "GitHub".
That's my BuildMaster username and password there. (Don't worry, @Yamikuronue, BuildMaster encrypts passwords it uses with a key stored outside the database)
@powerlord @Yamikuronue @asdf Unfortunately,
autocomplete="off"
doesn't make the web browser turn off autocomplete on the fields.
-
@ben_lubar That's using auto-fill, not auto-complete. The browser sees input fields, checks the domain that you're on, and auto-fills any data that it has stored that matches.
autocomplete="off"
still works, because it won't try to finish a word that you begin typing into those fields, but your browser already has the auto-fill data saved, so it puts it in. You might be able to use some of the newerautocomplete
values in order to keep it from auto-filling these for you.Another option, if you can, might be to use the target site's login API or put their login page in a frame or something so that the auto-fill matcher can find the right domain to use.
-
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Is there some standardized markup for "instead of using the default username/password you have saved for this site, here's a string that will help you identify this set of fields so you can save the password separately if you really want to" or something similar
Yeah. Tell your browser to not remember your passwords for this site.
-
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Is there some standardized markup for "instead of using the default username/password you have saved for this site, here's a string that will help you identify this set of fields so you can save the password separately if you really want to" or something similar
Yeah. Tell your browser to not remember your passwords for this site.
Sure, I'll just keep 63 case sensitive random letters and numbers memorized for each site.
-
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Unfortunately, autocomplete="off" doesn't make the web browser turn off autocomplete on the fields.
As mentioned above, there's no easy way to stop a browser from filling anything that looks like a password field with the stored password for that domain. Since too many websites tried to keep people from using a sensible browser feature (password storage) for "security" reasons, browsers now actively ignore any attempt to do so on purpose.
-
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Is there some standardized markup for "instead of using the default username/password you have saved for this site, here's a string that will help you identify this set of fields so you can save the password separately if you really want to" or something similar
Yeah. Tell your browser to not remember your passwords for this site.
Sure, I'll just keep 63 case sensitive random letters and numbers memorized for each site.
That's what password managers are for. Else how did you get random letters and numbers you can't memorize?
-
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Is there some standardized markup for "instead of using the default username/password you have saved for this site, here's a string that will help you identify this set of fields so you can save the password separately if you really want to" or something similar
Yeah. Tell your browser to not remember your passwords for this site.
Sure, I'll just keep 63 case sensitive random letters and numbers memorized for each site.
That's what password managers are for. Else how did you get random letters and numbers you can't memorize?
You just told me to disable my password manager for this site.
-
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Is there some standardized markup for "instead of using the default username/password you have saved for this site, here's a string that will help you identify this set of fields so you can save the password separately if you really want to" or something similar
Yeah. Tell your browser to not remember your passwords for this site.
Sure, I'll just keep 63 case sensitive random letters and numbers memorized for each site.
That's what password managers are for. Else how did you get random letters and numbers you can't memorize?
You just told me to disable my password manager for this site.
my password manager doesn't automatically fill anything on any website. I have to click the field and then it asks me if I want it filled out.
Get a better prog, son.
-
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Is there some standardized markup for "instead of using the default username/password you have saved for this site, here's a string that will help you identify this set of fields so you can save the password separately if you really want to" or something similar
Yeah. Tell your browser to not remember your passwords for this site.
Sure, I'll just keep 63 case sensitive random letters and numbers memorized for each site.
That's what password managers are for. Else how did you get random letters and numbers you can't memorize?
You just told me to disable my password manager for this site.
A browser ought not be a password manager. What happens if you need to change computers? What happens if you need to wipe that one? Or you lose it or it gets stolen?
-
@djls45 said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
What happens if you need to change computers?
You mean like I do multiple times per day?
@djls45 said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
What happens if you need to wipe that one?
I bought a new dhromebook recently and it has all my passwords on it already. MAGIC!
@djls45 said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Or you lose it or it gets stolen?
The simple answer is that if I'm logged into my dhromebook and it gets stolen and the thief doesn't let it go to sleep, I'm fucked anyway because they have full access to my email and anything that I can log into via Google. If I'm not logged in or it goes to sleep the worst thing the thief can do is wipe it and log in with their own account.
If someone manages to steal my desktop computer without me knowing, I have worse problems.
-
@djls45 said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Is there some standardized markup for "instead of using the default username/password you have saved for this site, here's a string that will help you identify this set of fields so you can save the password separately if you really want to" or something similar
Yeah. Tell your browser to not remember your passwords for this site.
Sure, I'll just keep 63 case sensitive random letters and numbers memorized for each site.
That's what password managers are for. Else how did you get random letters and numbers you can't memorize?
You just told me to disable my password manager for this site.
A browser ought not be a password manager. What happens if you need to change computers? What happens if you need to wipe that one? Or you lose it or it gets stolen?
That's why you sign in to the browser, which (presumably) clouds your data for
them to sift throughyour benefit.
-
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@djls45 said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Is there some standardized markup for "instead of using the default username/password you have saved for this site, here's a string that will help you identify this set of fields so you can save the password separately if you really want to" or something similar
Yeah. Tell your browser to not remember your passwords for this site.
Sure, I'll just keep 63 case sensitive random letters and numbers memorized for each site.
That's what password managers are for. Else how did you get random letters and numbers you can't memorize?
You just told me to disable my password manager for this site.
A browser ought not be a password manager. What happens if you need to change computers? What happens if you need to wipe that one? Or you lose it or it gets stolen?
That's why you sign in to the browser, which (presumably) clouds your data for
them to sift throughyour benefit.Yeah, good luck sifting through the data that Chrome encrypts client-side with a password other than my Google password, Google.
-
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
encrypts client-side with a password other than my Google password
Since when? That's not by default.
Also, have you ever visited passwords.google.com ? They most certainly don't ask for you "not my google password" there...
-
@tsaukpaetra You mean THIS passwords.google.com?
-
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@tsaukpaetra You mean THIS passwords.google.com?
So you're not an average sheep. Congrats.
-
Ok, I tried a few IRC channels and got nothing that hasn't already been posted here, so I'm trying Reddit now:
https://www.reddit.com/r/webdev/comments/6ovom5/how_do_i_tell_web_browsers_andor_password/
-
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@djls45 said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Is there some standardized markup for "instead of using the default username/password you have saved for this site, here's a string that will help you identify this set of fields so you can save the password separately if you really want to" or something similar
Yeah. Tell your browser to not remember your passwords for this site.
Sure, I'll just keep 63 case sensitive random letters and numbers memorized for each site.
That's what password managers are for. Else how did you get random letters and numbers you can't memorize?
You just told me to disable my password manager for this site.
A browser ought not be a password manager. What happens if you need to change computers? What happens if you need to wipe that one? Or you lose it or it gets stolen?
That's why you sign in to the browser, which (presumably) clouds your data for
them to sift throughyour benefit.Yeah, good luck sifting through the data that Chrome encrypts client-side with a password other than my Google password, Google.
Does that encryption include which domains you have form data saved for? If not, they know which domains you frequent or have an account on.
-
@djls45 I don't care who has read-only data about me. I only care about data that can be used to modify my stuff.
-
I'd hazard to say you're giving off wrong signals if you use a password entry field for something you are going to store as either plain or reversibly encrypted in the database.
-
If you must persist in , I'm sure the liberal use of Javascript would fix your problem. Just wipe out what the browser puts in those fields.
-
@ben_lubar do those people not read? I feel like you've been StackOverflow'd. Try the things you've already told us you tried, and by the way what you're doing is wrong because there's a better way that has all of the same problems plus more problems.
-
Did you consider just switching these password fields to text fields?
-
I ran into a similar problem when designing the admin page for my website where I can reset and manually set passwords for my users.
I finally put the "New Password" field into a complety different
<form>
of its own, apart from the other user details.
-
@cartman82 said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Did you consider just switching these password fields to text fields?
Changing their name might also help as the password manager might no longer recognize it as a login form...
@ben_lubar Also, have you seen
autocomplete="new-password"
? There's a ticket for it at Mozilla and MDN also mentions it.
-
@jbert said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@cartman82 said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Did you consider just switching these password fields to text fields?
Changing their name might also help as the password manager might no longer recognize it as a login form...
@ben_lubar Also, have you seen
autocomplete="new-password"
? There's a ticket for it at Mozilla and MDN also mentions it.autocomplete="new-password"
is for the user changing their password. In this case, the browser shouldn't touch the user's password for the site at all because it's not a login form.
-
@tsaukpaetra said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Get a better prog, son.
'Zaktly!... I moved from KeePass to Zoho Password Vault.
Not that KeePass was bad — it's actually quite good, and I love the password generator(still use it) — but Zoho has mobile apps so I can definitely take all my passwords "on the road".
-
@m_adams there are mobile apps for keepass as well. I'm using them myself. Not the most convenient to sync, but...
-
@jbert now all we need is an
autocomplete="unrelated-password"
so that neither autofill nor autogenerate will interfere.
-
@benjamin-hall said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Not the most convenient to sync, but...
And that's why I sadly switched. Also having them in Zoho Vault, I can credential "proxies" to have access to the data in case of emergencies.
-
@benjamin-hall said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@m_adams there are mobile apps for keepass as well. I'm using them myself. Not the most convenient to sync, but...
I keep a copy on dropbox which I also have on my phone.
-
@boomzilla same, but since Dropbox for phones only updates when you open it...
-
@ben_lubar said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Sure, I'll just keep 63 case sensitive random letters and numbers memorized for each site.
You don't need to memorize them
-
@benjamin-hall said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
Dropbox for i- phones only updates when
you openit wants to...FTFM/P
-
@benjamin-hall said in How do I tell web browsers and/or password managers that the username and password fields on this page are probably not what the user wants auto-completed?:
@m_adams there are mobile apps for keepass as well. I'm using them myself. Not the most convenient to sync, but...
???
No, I don't know why the screenshot is in German, but I'm sure it's self-explanatory enough.
-
@onyx I guess I have a different version/app then. Mine only pulls from local storage. Thanks!
-
@onyx That's the one I have. Only issue I had was when trying to create a new entry in the dropbox file. It refused to write. Haven't tried since I moved the file to google.