A tip from Chris Holland pointed me to his new article:
Disable Autocomplete with Valid
HTML. This deals with a problem for online banks: the well-meaning browser features for remembering passwords in
forms can be a security risk when users access their accounts from public machines. So they need a way to disable
autocomplete.
You can use an autocomplete="off" attribute to do this, and it works in Internet Explorer and
Mozilla, but it isn't valid HTML. Chris presents some simple JavaScript which sets the attribute using the DOM, which
will allow the HTML document to validate just fine.
Meanwhile, while this attribute makes the online banks happy, I've always been annoyed that my bank uses it on their
site, since I don't use public terminals and I'd really like my home computer to remember the password. Chris linked to
an article by Kenn Christ that talks about this
issue at length, and mentions the
Remember Password Bookmarklet by
Jesse Ruderman that solves the problem for those of us who don't need this particular security blanket.
Disabling autocomplete in forms
Reader Comments
(Page 1)2. It seems to me that letting your browser remember the password to your bank's website is a recipe for disaster. Its like writing your pin number on your debit card. Sure, you are the only one who ever has access to your wallet, but you don't do it because of what could happen if it got lost/stolen. The same is true with your home computer.
Posted at 5:49AM on Dec 19th 2005 by Brontojoris
1. I'm not sure if javascript really works here, because it seems to that it would be more likely that javascript be disabled on a public computer to prevent attack attempts. Maybe just a guess?
I use Firefox's save passwords, but I would like to mention that IE automatically asks every password that you save I believe. But then again, if the first user selects save, then it will automatically erase that information and put in new data when the second user logs in, and won't ask him. I think at lest.
Posted at 5:49AM on Dec 19th 2005 by Jeff