Clarification of turingtest2 on automatic login

😎

tt2

schooled once again, amigo

...interfering with the browser's attempts to make use of a saved password.

In an effort to find the method, I stumbled across the obvious = autocomplete="off" type="password" ...

by dragging from "Sign In" to the Blue Button > View Selection Source, I found the AREA and that particular code

THEN, Viewed the WHOLE Page Source for context page wide, one finds (oddly a different order in the two)

Banks are notorious... now here

buenos noches (in case you get this your AM, buenos dias!)

ÇÇÇ

CITATION > http://www.w3.org/TR/2011/WD-html5-20110525/common-input-element-attributes.html #the-autocomplete-attribute

AUTOCOMPLETE to a GECKO browser is not a guessing game but a named function referring to stuff it saves in the distinct Managers

• FORM field values
  • name
  • address
  • city
  • state
  • etc
• CREDENTIAL field values
  • User ID
  • password

according to this > https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning _off_form_autocompletion - websites' ability to defeat Firefox ignoring that command was dealt with in FF 30.x - I am running TFF 31.7 since early May - TFF 31.6 since early March.

• The autocomplete="off" code is clearly there in ASC login page source
• My bank also does it
• BOTH continue to succeed in preventing the Password Manager from populating the password field
• BOTH are able to be worked around with the TAB method - proving that Password Manager is not faulty and CAN populate the field when forced

All that said, my poor Pismo/Tiger will not catch up to FF 38.x for quite a while!! I wonder if there is further code besides autocomplete="off" elsewhere in the source? hard to FIND when you don't what your looking for...

RE: the PS... there WAS a bug fixed - see the 'announcement' banner at the top of the linked page

WELL Well... whaddya know - search "password" long enough in the page source and voila!

MAYBE?

and with that, good nite, see ya mañana

ÇÇÇ

My guess is that autocomplete='off" is an instruction to the browser not to cache the content of the field in the low security auto complete mechanism. Declaring the field type as password ensures that characters typed into the field are displayed as asterisks, and flagged up for the password management system.

tt2

tt2 sed:

...characters typed into the field are displayed as asterisks,...

This is called "Password Masking" - no relation to autocomplete -- from http://www.w3.org/2001/tag/doc/passwordsInTheClear-52

3 Passwords displayed in Browser

HTML allows authors to create input forms. If a form field is a password, password masking SHOULD take place to protect the user from onlookers seeing what is being entered and stop anyone from later using the 'back' button to discover passwords.

Extrecting the pertinent autocomplete attribute from the long w3.org page cited above.in a previous post.. see " Banks frequently do not want UAs to prefill login information: " below

4.10.7.2.1 The

autocomplete

User agents sometimes have features for helping users fill forms in, for example prefilling the user's address based on earlier user input.

The

autocomplete

attribute is an enumerated attribute. The attribute has three states. The

on

keyword maps to the on state, and the

off

keyword maps to the off state. The attribute may also be omitted. The missing value default is the default state.

The off state indicates either that the control's input data is particularly sensitive (for example the activation code for a nuclear weapon); or that it is a value that will never be reused (for example a one-time-key for a bank login) and the user will therefore have to explicitly enter the data each time, instead of being able to rely on the UA to prefill the value for him; or that the document provides its own autocomplete mechanism and does not want the user agent to provide autocompletion values.

Conversely, the on state indicates that the value is not particularly sensitive and the user can expect to be able to rely on his user agent to remember values he has entered for that control.

The default state indicates that the user agent is to use the

autocomplete

attribute on the element's form owner instead. (By default, the

autocomplete

attribute of

form

elements is in the on state.)

Each

input

element has a resulting autocompletion state, which is either on or off.

When an

input

element is in one of the following conditions, the

input

element's resulting autocompletion state is on; otherwise, the

input

element's resulting autocompletion state is off:

• Its

  autocomplete

  attribute is in the on state.
• Its

  autocomplete

  attribute is in the default state, and the element has no form owner.
• Its

  autocomplete

  attribute is in the default state, and the element's form owner's

  autocomplete

  attribute is in the on state.

When an

input

element's resulting autocompletion state is on, the user agent may store the value entered by the user so that if the user returns to the page, the UA can prefill the form. Otherwise, the user agent should not remember the control's value, and should not offer past values to the user.

In addition, if the resulting autocompletion state is off, values are reset when traversing the history.

The autocompletion mechanism must be implemented by the user agent acting as if the user had modified the element's value, and must be done at a time where the element is mutable (e.g. just after the element has been inserted into the document, or when the user agent stops parsing).

Banks frequently do not want UAs to prefill login information:

<p><label>Account: <input type="text" name="ac" autocomplete="off"></label></p>
<p><label>PIN: <input type="password" name="pin" autocomplete="off"></label></p>

A user agent may allow the user to override the resulting autocompletion state and set it to always on, always allowing values to be remembered and prefilled), or always off, never remembering values. However, the ability to override the resulting autocompletion state to on should not be trivially accessible, as there are significant security implications for the user if all values are always remembered, regardless of the site's preferences.

MY Bank > https://chaseonline.chase.com/Logon.aspx - as I have said before, does this too - AND can be "worked around" using the TAB method described...

========

========

Isn't " Cache " different than " Remember " in the Password Manager? My understanding is cache is like a local copy of recently visit pages, first in - first out if one reaches the Default of user set limit to the storage allotted.

Another function that we may be confusing with this is the browser "automatically remembering" a string previously entered into a field and "GUESSING" that you want to type it again - like the URL location bar for instance (sorry, I don't recall the term)

Methinks we are at the end of this academic discussion, as it IS Somehow implemented and we must deal with it how we see fit, ActionFlow driven - TABbing or keying the string

We have had enough rain here, thanks. You Brits can have it back! (once spent 2 weeks in December in the UK = misery)

ÇÇÇ