Login screen autocomplete=off

[avit]

I really hate when websites try and second-guess me...

I use the Keychain on my Mac to manage my many passwords so I can use secure random passwords, store them securely, and not have to remember them all.

Not only does the Plesk login screen use the autocomplete="off" nonstandard IE attribute, it splits the password and name fields into two separate forms plus javascript, so there's no way to use my keychain even if I wanted to override the autocomplete behaviour myself.

This forces me to be less secure by recording my passwords in other ways and it's way more inconvenient... Thumbs down for this security "feature".

 

[64bithost.com]

lol

I thought that the MAC was cracked in 7 minutes at the LINUX conference a year or so back.~ and Red Hat still has not been cracked.

http://www.macgeekery.com/tips/security/how_a_malformed_installer_package_can_crack_mac_os_x

 

[avit]

Actually, it was supposedly "under two minutes"... (Without counting the first day, and the hack required physical intervention from a user.) Anyway, I don't want to make this a platform war: my point is that even if you want to set up a secure password system (on a USB key or whatever) the system thwarts you from using it.

Seriously, you enjoy typing your passwords in? Or do you: (a) write them down, (b) just use the same one everywhere?

Give me HTTPS user certificates or anything else, this tactic is just dumb. I understand they're trying to protect dumb users from themselves, but still...

PS, your linked article is over 2 years old, and long since patched.

 

[Amin Taheri]

I think allowing users to be dumb and just tab to autocomplete is not a good best practice idea. The alternatives are not much better considering how much of the user base is semi retarded and incredibly lazy but none the less, allowing things to remember your password for you only invites people to do things to your site.

 

[avit]

"Best practice" or not, the hack that Plesk is doing on their login form is certainly not "standard practice" and extremely annoying. It's not Plesk's job to protect me from myself...

 

[Amin Taheri]

lol no argument there.

 

[shall]

Try this, it's the way I bypass it:

<form action="https://yourserver:8443/login_up.php3" method="post">
	<input type="hidden" name="passwd" value="yourpassword" />
	<input type="hidden" name="login_locale" value="default" />
	<input type="hidden" name="login_name" value="yourusername" />
	<input type="submit" value="login" />
</form>

 

[avit]

LOL, that's awesome! Now I can just hard-code my username and password there in plain text... I think I'll put it on my web server where it's convenient to access! Besides, someone told me that my Mac isn't secure, so I'd better host it on a linux-based server... ;-)