Tricking browsers that are storing passwords

February 9th, 2008 | by Jory |

For a system that I’m working on that I plan to, at some point, release as open source product, I am going to implement a system so that, to get the specific pages, you need to enter your password even if you are logged in. If you do, you will remain “super-authed” untill you close the browser. This would prevent, ie, my little sister to use my laptop, go to my website and have full power because I’m still logged in. But as I was working on it, a question arose: How good is this, taking into account that most people will just end up storing the password in their browser. Obviously, there are ways around that. (Using a random name for the password field each time is probally enough.) But, by doing that, I will be breaking browser functionalities. Do I really want to do that?

  1. 4 Responses to “Tricking browsers that are storing passwords”

  2. By Seth on Feb 20, 2008 | Reply

    <input type=”password” autocomplete=”off” />

    Done.

  3. By Ben Babcock on Feb 20, 2008 | Reply

    I don’t think it’s a big deal if you do that.

    While in general I prefer to let a user keep control of his or her browsing experience, there’s always the exception to the rule. In a case like this, it’s reasonable to prevent users from automatically filling out password forms–that’s extra security, after all. And it’s not like you’re adding 300 layers of security complete with a CAPTCHA image, and ID image, a question, an ID phrase, and whatnot. :P

    *cough* My bank sucks *cough*

  4. By Jory on Feb 20, 2008 | Reply

    Wow, Seth, I had no idea there was such a thing.

    Seems like I’ll need to use a custom doctype for this though and I’m not sure I’m 100% comfortable doing that just yet. (Knowing me, I’ll break more this I fix when doing something like that.)

  5. By Kevin Zak on Mar 17, 2008 | Reply

    It’s an interesting question you pose, Jory. While some may find it an annoying quirk, I think that an extra layer of security like what you proposed is worth it. I used to worry about family members messing with things that I stay logged into. Now I generally lock my sessions if I’m going to be gone for any extended period of time. All in all, I don’t think it’s unreasonable to limit unessential functionality for security’s sake.

Post a Comment