[buddypress-trac] [BuddyPress Trac] #6269: Add autocomplete="off" to bp-login widget password field

buddypress-trac noreply at wordpress.org
Mon Mar 9 15:34:27 UTC 2015 

#6269: Add autocomplete="off" to bp-login widget password field
-----------------------------+------------------------------
 Reporter:  Prometheus Fire  |       Owner:
     Type:  defect (bug)     |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  API              |     Version:
 Severity:  normal           |  Resolution:
 Keywords:                   |
-----------------------------+------------------------------

Comment (by hnla):

 https://bugzilla.mozilla.org/show_bug.cgi?id=956906

 The summary from a very long thread from a Mozi discussion on the subject:

 >Summary of the change, so people don't have to wade through a long
 discussion:
 >  - This change makes it so that `autocomplete=off` does not stop the
 Password Manager >from  working. Normal form autofill can be disabled as
 usual.
 >  - The password manager *always* prompts if it wants to save a password.
 Passwords are >not  saved without permission from the user.
 >  - We are the third browser to implement this change, after IE and
 Chrome.
 >  - This can be undone locally by flipping the
 `signon.storeWhenAutocompleteOff` pref >(from  about:config) off.
 >  - The rationale behind this change was the widespread abuse of the
 `autocomplete`  >attribute to prevent password saving where no prevention
 is required. This change gives  >users full control over password saving,
 without compromising on security (again, the user  >is always prompted).

 Seems overall that `autocomplete=off` should be implemented, the main
 concern in doing so being that preventing browsers auto saving to password
 managers would be a very bad thing possibly resulting in people using weak
 passwords where they might have been using very strong ones in the
 knowledge that  a browser action by user would have the password inserted
 to field.

 It seems that Mozi here acknowledge that they are the last to implement a
 fix for autocomplete disabling their password saving thus all major
 browsers are safe in this respect and my 20 char passwords will be
 automagically inserted regardless of autocomplete set.

--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6269#comment:3>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list