I like everything on this list bar this item: 'Allow users to cut and paste into the password field, but disable password autocomplete features"
IMO, anything that interferes with password managers or lowers their adoption is a major loss. If you want a password field that can't be attacked computationally, have a debouce and a lockout after 20 attempts.
I agree completely, password managers are absolutely necessary. Allowing for cut and paste will allow Password Managers to function properly, while disabling the browser from performing autocomplete will ensure that users don't accidentally save passwords into their browsers accidentally (unsafe place) and think they are using a Password Manager (safe place to store passwords and other sensitive data). Auto-complete is a browser feature, and disabling it will not interfere with your password manager. :)
I think we agree but perhaps my phrasing was not clear? Should I update the article?
Browser-Built password management functions are not as secure as as an actual password manager. It is not an overly safe place to keep it. Another reason is that you have no idea who is using your site, nor which computer they are using it from; if someone is in a hostel backpacking across Europe and accidentally says "yes" to the "would you like XYZ browser to save your password?" they have unwittingly saved their password for all the hotel users to use later. Unfortunately we need to design assuming the worst case (public computer, not-technically-savvy user), rather than the best case (for instance you personally, someone who is knowledgable enough to read and understand my blog, is the absolute best case scenario for an app user).
Does this make more sense? Is it helpful?
Also, yes; sadly not all browsers support all of the same features, rules or standards. But we do what we can.
I like everything on this list bar this item: 'Allow users to cut and paste into the password field, but disable password autocomplete features"
IMO, anything that interferes with password managers or lowers their adoption is a major loss. If you want a password field that can't be attacked computationally, have a debouce and a lockout after 20 attempts.
I agree completely, password managers are absolutely necessary. Allowing for cut and paste will allow Password Managers to function properly, while disabling the browser from performing autocomplete will ensure that users don't accidentally save passwords into their browsers accidentally (unsafe place) and think they are using a Password Manager (safe place to store passwords and other sensitive data). Auto-complete is a browser feature, and disabling it will not interfere with your password manager. :)
I think we agree but perhaps my phrasing was not clear? Should I update the article?
Thank you for your comment!
Can't hurt to clarify.
I updated it, thanks! :)
Great article!
But why is a Browser-Built-In Passwort Manager like Firefox' PW-Manager unsafe? (assuming a master pw is set or the computer is only used by 1 person)
Btw. turning off autocompletion doesn't work in most browsers anyway:
support.mozilla.org/en-US/kb/passw...
Or did i simply misread your comment?
Browser-Built password management functions are not as secure as as an actual password manager. It is not an overly safe place to keep it. Another reason is that you have no idea who is using your site, nor which computer they are using it from; if someone is in a hostel backpacking across Europe and accidentally says "yes" to the "would you like XYZ browser to save your password?" they have unwittingly saved their password for all the hotel users to use later. Unfortunately we need to design assuming the worst case (public computer, not-technically-savvy user), rather than the best case (for instance you personally, someone who is knowledgable enough to read and understand my blog, is the absolute best case scenario for an app user).
Does this make more sense? Is it helpful?
Also, yes; sadly not all browsers support all of the same features, rules or standards. But we do what we can.
PS Thanks for the really nice comment!