Essays mature
This idea is complete, spare the occasional tending.

series: Login Bingo

by Matthew Lyon  • 

It’s time to go log in to the system to do the thing. You’re savvy and understand that you should use a different password for every account to help isolate your accounts in case one of the systems you use is compromised, you use a password manager to create strong passwords and remember them for you. But when you get to the log in page, for some reason you can’t use the autofill feature to have the password manager enter your credentials for you.

Frustrated, you open up your password manager’s application, search for the credentials you need, and copy and paste them into the fields so you can log in.

Unbeknownst to you, something is monitoring your clipboard history for some reason and storing everything you copy to an insecure location. Sometime later, that store is discovered by a nefarious actor, who is then able to compromise your account.

Whatever the excuse, disabling or otherwise preventing autofill in your login system is bad for security and user experience. While browsers and password managers should not eagerly autofill login credentials without user consent, the application or website should not go out of its way to prevent this behavior by password managers.

A major reason cited for disabling autocomplete in web browsers is PCI Compliance, but that is often poorly implemented of not outright misguided. Which is perhaps beside the point – most browsers and password managers ignore html autocomplete directives for password fields, but people still go out of their way to prevent this.

Due to a variety of concerns I’m not going to get into here, password managers tend to generate passwords that are difficult to type, and forcing people to type them can lead to errors and frustration. If your goal is to force someone to use a weaker, easier to type password, this is a great tool for doing so.

There are people who think that remembering passwords and not storing them is a good idea; I consider them incompetent by virtue of having this belief, but nevertheless they often carry enough sway and influence to inflict this kind of damage upon their system and its users.

If you’re in charge of one of these systems and still not convinced and still want your users to type it out, well, that’s on you – you’re still making those peoples’ days a bit more frustrating and a bit less secure, and contributing to their Login Bingo squares.