Enable or disable login autocomplete?
Martin Dittus
a tweet by a user just pointed out that our login forms disable autocomplete, which makes logging in inconvenient. We made this change a few months ago on the recommendation of a security researcher who had graciously offered a security audit, but admittedly have not spent much time discussing the UX implications.
What's everyone's opinion on this? It seems like a trade-off between convenience and security; do people think the nature of our service warrants this change, or would we rather rely on our users to make their own decision when they log in?
martind
(On a related note, enough time has passed that we may be able to convince Chris to share the results of the security audit, it may be interesting reading to some. Let us know if you'd like to see it.)
Mark Steward
don't think there's any reason to disable autocomplete - did the
researcher explain their reasoning?
Mark
> --
> You received this message because you are subscribed to the Google Groups "One Click Orgs / Devspace" group.
> To post to this group, send email to oneclickor...@googlegroups.com.
> To unsubscribe from this group, send email to oneclickorgs-dev...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/oneclickorgs-devspace?hl=en.
>
Martin Dittus
I.e., it really depends on our interpretation of how secure we want to be.
(I'm also wondering if we have usage data from before and after the change to see if it affected our traffic at all. I'm not even sure whether we capture that in any meaningful manner though, we don't install trackers and I doubt that we retain old server logs.)
m.
Mark Steward
field? I think the Google Toolbar will let you autocomplete stuff
regardless of its status anyway.
Mark
Russ Garrett
> The audit report itself merely states that such passwords can be recovered, and that applications that require a higher level of security should disable them.
I think with Firefox you can recover passwords if you have physical
access to the machine. But the alternative to using a password manager
to most people is probably writing the password down (or putting it in
a text file). So I think that's a bit of a bogus recommendation.
(LastPass lets me bypass disabled autocomplete, so I don't really care...)
--
Russ Garrett
ru...@garrett.co.uk
Martin Dittus
The somewhat philosophical question is whether a service that lets you run legal organisations requires a higher security standard than any random shopping site.
And on the other hand virtually any change most users can make on OCO first requires approval by their peers; so while the potential impact may be high there are strong social barriers in place.
m.
Mark Steward
Quite. Your account is only as secure as your email, and I note that Hotmail has it set on the password field only, while Gmail doesn't have it at all.
Definitely worth including in any threat models though.
Martin Dittus
Thanks for everyone's quick feedback!
m.
Adam McGreggor
> a tweet by a user just pointed out that our login forms disable
> autocomplete, which makes logging in inconvenient. We made
> this change a few months ago on the recommendation of a
> security researcher who had graciously offered a security audit,
> but admittedly have not spent much time discussing the UX implications.
> What's everyone's opinion on this? It seems like a trade-off between
> convenience and security; do people think the nature of our service
> warrants this change, or would we rather rely on our users to make
> their own decision when they log in?
ounce of common sense.
Whilst lastpass &c may allow by-passing of these 'features', not
everyone has them installed (I'm waiting for it to be discounted,
again), wants to install them, or gives a fig. Ordinary users probably
just use their web-browsers' default 'remember password' settings.
Security, as I tweeted (but now elaborating a bit more), is fucking
pointless when the alternative is to (a) write them down, along with
what they are for, or (b) use the same (small series) of passwords.
(CBA'd using my proper email address given my immense hatred
of google groups. Own view, despite company address &c.)
Adam McGreggor
> I'm actually more thinking that there's a good case to make
> for removing this restriction altogether.
> The somewhat philosophical question is whether a service that
> lets you run legal organisations requires a higher security standard
> than any random shopping site.
fields.
Webmail allows me to save u&p combos.
I don't think so. if you're bothered about falsifying an association
amendment/policy, then implement some sort of GPG &c
functionality... not that normal people use GPG, mind.
(but a simple wrapper might help_
> And on the other hand virtually any change most users can
> make on OCO first requires approval by their peers; so while
> the potential impact may be high there are strong social
> barriers in place.
Chris Mear
Martin Dittus
m.
Chris Mear
(On a related note, enough time has passed that we may be able to convince Chris to share the results of the security audit, it may be interesting reading to some. Let us know if you'd like to see it.)