Smart Lock suggestion should use new-password value in autocomplete attribute.

[琴浦りんくす]

Smart Lock suggestion implemented.

It seems that requirements of suggestion depend on number of users using Smart Lock for its service.

I think this unique implementation is not good.

Chrome should corresponds various values in autocomplete attribute. (ref. https://developer.mozilla.org/en/docs/Web/HTML/Element/input#attr-autocomplete )

And Smart Lock suggestion should use 

autocomplete="new-password"

Corresponding various values in autocomplete attribute is useful for nasty autocomplete of current password for new password forms, and also useful for accurate autocomplete.

--

My chrome environment version 62.0.3178.0

[Jon Perryman]

Passwords will be the most difficult field a user or developer will deal with because it evokes deep emotion in everyone. To make matters worse, most people (even web page developers) don't understand the actual problem, solution and implementation. A previous post asked about encrypting passwords. In your case, I think you are asking if autocomplete="current-password" is a bad thing.

To make username / password handling simple for developer's, HTML5 introduced autocomplete= for username, current-password and new-password which are intended to remove username / password logic from our HTML and move it into the browser. No more cookies and far more consistent. I have not used them yet so I don't know if they are working properly. If they do, then websites that support HTML5 and up should start using these instead of HTML we had to use in HTML4.

Password lockers such as Google's smart lock (and others) must deal / override the the autocomplete= setting as needed. Specifying autocomplete="current-password" should not cause them a problem. If you are concerned, then you should ask them.

I think that smart lock actually uses googles login API to Google+ but I won't swear to that. Using third party login API's such as Google+ or Facebooks login api can be a good way to control access to your website without understanding userid / password techniques. I still haven't decided whether these are a good or bad idea. On the good side, they make things very consistent and very controlled. On the bad side, users feel this is very secure even though these are a single online site that maintains access to all their logins. It's human nature not to think about security with low risk websites and may use it where you shouldn't. E.g. you are at the library without your computer but need to look at an online newspaper subscription,

Regards, Jon.

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

---
You received this message because you are subscribed to the Google Groups "Chromium-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discuss+unsubscribe@chromium.org.