DEV Community

Discussion on: Pushing Left, Like a Boss! -- Part 2: Security Requirements

Collapse
shehackspurple profile image
Tanya Janca Author

I agree completely, password managers are absolutely necessary. Allowing for cut and paste will allow Password Managers to function properly, while disabling the browser from performing autocomplete will ensure that users don't accidentally save passwords into their browsers accidentally (unsafe place) and think they are using a Password Manager (safe place to store passwords and other sensitive data). Auto-complete is a browser feature, and disabling it will not interfere with your password manager. :)

I think we agree but perhaps my phrasing was not clear? Should I update the article?

Thank you for your comment!

Collapse
fardarter profile image
sauln

Can't hurt to clarify.

Thread Thread
shehackspurple profile image
Tanya Janca Author

I updated it, thanks! :)

Collapse
mattdimu profile image
Matthias Müller

Great article!

But why is a Browser-Built-In Passwort Manager like Firefox' PW-Manager unsafe? (assuming a master pw is set or the computer is only used by 1 person)

Btw. turning off autocompletion doesn't work in most browsers anyway:
support.mozilla.org/en-US/kb/passw...

Or did i simply misread your comment?

Thread Thread
shehackspurple profile image
Tanya Janca Author

Browser-Built password management functions are not as secure as as an actual password manager. It is not an overly safe place to keep it. Another reason is that you have no idea who is using your site, nor which computer they are using it from; if someone is in a hostel backpacking across Europe and accidentally says "yes" to the "would you like XYZ browser to save your password?" they have unwittingly saved their password for all the hotel users to use later. Unfortunately we need to design assuming the worst case (public computer, not-technically-savvy user), rather than the best case (for instance you personally, someone who is knowledgable enough to read and understand my blog, is the absolute best case scenario for an app user).

Does this make more sense? Is it helpful?

Also, yes; sadly not all browsers support all of the same features, rules or standards. But we do what we can.

Thread Thread
shehackspurple profile image
Tanya Janca Author

PS Thanks for the really nice comment!