That's a misuse for the term "autocomplete" in my opinion. What he complains about is "autofill", not "autocomplete" as I understand it. Autocomplete takes the values you used previously and gives you suggestions for the stuff you're typing in yourself. Autofill tries to guess what values are required and fills them in without additional interactions.
I remeber noting with concern several years ago that Safari was blindly saving my credit card number along with all my other auto-fill data. Thing is, I recall observing that behavior stopping around Safari 4 or so – the browser appeared to be using something along the lines of the data detectors that put calendar links on times mentioned in emails, and saving everything but the credit card field.
Isn't that like claiming individual permissions pop-ups are working just fine on mobile devices, because people are carefully and individually considering whether each given app needs each requested permission?
If some autofill feature starts training users to click "Ok, Ok, Ok, Ok, whatever, just Ok!" any time they sign up for some account or site feature, how long until masses are unwittingly sending along way more data than any sober assessment suggests they ought to and we're shrugging our shoulders and saying "well, the site asked..."
Firefox and the Mozilla Suite have had a very similar problem since at least 2005: it autofilled usernames and passwords, which creates a problem with XSS or user-generated content on the same domain. The bug was marked WONTFIX: https://bugzilla.mozilla.org/show_bug.cgi?id=280469
Strange, but for me Firefox does not auto-fill passwords, unless you provide a username (and of course, you opted into auto-filling). What did it do, as I don't understand? Did it automatically auto-fill password fields that happened to get loaded on the page?
You have to have an autofill set up with more information than just your name. You can tell if you have this set up because when the autofill choices show they will have your address etc in gray next to the choices you are auto-completing.
I just don't store credit card details in my browser. Auto-complete for emails is extremely handy and I use that all the time, but does purchasing things online really need to be any easier?
I don't mind reaching for my wallet there; it forces you to make a conscious decision to spend the money, which is at least slightly better than a 1-click impulse.
Credit card details are not the main concern here (because they are separated on Chrome), but you could send your address and phone number to a server without expecting to send more than your name or email address.
True and it takes what? 1 minute of typing? Do we really need to go faster than that? Of course, companies are all in favour, but it's not in our interest.
I dont see the problem all that was filled in was my name. The other fields were left blank. Even when I reentered it after the other fields popped up.
Should be easy to make a proof of concept page to scare people dumb enough to have credit card auto-complete.
Just make hidden form fields for every field name you can think of, then make some onload javascript to welcome them to the page with any fields that aren't empty.
You shouldn't call people dumb for following Google's instructions. I agree with you that storing CC details in a web browser is a bad idea, but we should take issue with Chrome here (and other browsers) not with regular "dumb" users.
I always disable all "auto" functions in any browser. Autocompete for forms and URLs, remember passwords, everything I can find a switch for I turn off. Makes the browser faster and I feel like I'm more in control of it.
Why is it good practice to use it on login fields? That just means your users will use weaker (easier to remember) passwords on your site instead of using random, unique ones stored in a password manager.
An attacker that can make use of an auto-completing password field has got enough access to mean that the game is over anyway - they can get that password from a variety of other sources on the machine.
Turning off autocomplete on login fields doesn't make that form more secure, and it does annoy users.
As kalleboo says, it probably reduces security as your users change to easy to type passwords, or keep needing password resets.
I'm sorry, I've never used autocomplete for a few privacy related reasons, and this was one of them... this seems obvious, to the point where I thought the title was written in a sarcastic 'duh' tone...
I figured not letting your (google especially) browser store personal details was pretty much common privacy/security sense at this point.
"Visible on screen" unfortunately is a hard thing to determine. You can easily imagine a textbox with white text on a white background, or a very small textbox, or a textbox that briefly pops up whenever you type a keystroke or click the mouse, or...
Browsers really need to support some mechanism where the user can determine precisely what information will be filled prior to it being handed over to the website. This needn't be difficult; Chrome's existing autofill popup already displays a subset of the information, the popup just needs to give a fuller picture.
I suspect this would be very difficult to implement robustly. There are just too many ways to hide something: color it white, overlay another element on top, use a weird font that causes it to look like something else, ...
[+] [-] viraptor|12 years ago|reply
They're very different mechanisms...
[+] [-] yaph|12 years ago|reply
[+] [-] AndrewDucker|12 years ago|reply
[+] [-] Tobu|12 years ago|reply
[+] [-] dijit|12 years ago|reply
Doesn't matter what I picked in autocomplete, nothing else was submitted.
(firefox 24 on linux)
[+] [-] computer|12 years ago|reply
[+] [-] elwell|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] mortenjorck|12 years ago|reply
[+] [-] crashandburn4|12 years ago|reply
[+] [-] DanBC|12 years ago|reply
[+] [-] bad_user|12 years ago|reply
[+] [-] hydrology|12 years ago|reply
[+] [-] twister|12 years ago|reply
[deleted]
[+] [-] Sephiroth87|12 years ago|reply
[+] [-] kalleboo|12 years ago|reply
[+] [-] roc|12 years ago|reply
If some autofill feature starts training users to click "Ok, Ok, Ok, Ok, whatever, just Ok!" any time they sign up for some account or site feature, how long until masses are unwittingly sending along way more data than any sober assessment suggests they ought to and we're shrugging our shoulders and saying "well, the site asked..."
[+] [-] praseodym|12 years ago|reply
[+] [-] bad_user|12 years ago|reply
[+] [-] Ellipsis753|12 years ago|reply
[+] [-] elwell|12 years ago|reply
[+] [-] michaelmartin|12 years ago|reply
I don't mind reaching for my wallet there; it forces you to make a conscious decision to spend the money, which is at least slightly better than a 1-click impulse.
[+] [-] elwell|12 years ago|reply
[+] [-] bad_user|12 years ago|reply
[+] [-] wil421|12 years ago|reply
[+] [-] elwell|12 years ago|reply
[deleted]
[+] [-] ck2|12 years ago|reply
Just make hidden form fields for every field name you can think of, then make some onload javascript to welcome them to the page with any fields that aren't empty.
[+] [-] gizmo|12 years ago|reply
You shouldn't call people dumb for following Google's instructions. I agree with you that storing CC details in a web browser is a bad idea, but we should take issue with Chrome here (and other browsers) not with regular "dumb" users.
[+] [-] ams6110|12 years ago|reply
[+] [-] ubercow13|12 years ago|reply
[+] [-] kevinmchugh|12 years ago|reply
[+] [-] freewheeling|12 years ago|reply
It's considered good practice to use it on login fields, but otherwise depends on whether you think security or user preference should take priority.
[+] [-] kalleboo|12 years ago|reply
[+] [-] imurray|12 years ago|reply
[+] [-] DanBC|12 years ago|reply
Turning off autocomplete on login fields doesn't make that form more secure, and it does annoy users.
As kalleboo says, it probably reduces security as your users change to easy to type passwords, or keep needing password resets.
[+] [-] gr3yh47|12 years ago|reply
I figured not letting your (google especially) browser store personal details was pretty much common privacy/security sense at this point.
[+] [-] webhat|12 years ago|reply
Also I was a little confused by autocomplete, I thought he meant for the address bar.
[+] [-] elwell|12 years ago|reply
[+] [-] thatmanjose|12 years ago|reply
[+] [-] rejoinder|12 years ago|reply
https://yoast.com/research/autocompletetype.php
[+] [-] ondiekijunior|12 years ago|reply
[+] [-] DavidWanjiru|12 years ago|reply
[+] [-] Aqueous|12 years ago|reply
One might even classify this as a bug.
[+] [-] daveasdf|12 years ago|reply
Browsers really need to support some mechanism where the user can determine precisely what information will be filled prior to it being handed over to the website. This needn't be difficult; Chrome's existing autofill popup already displays a subset of the information, the popup just needs to give a fuller picture.
[+] [-] snewman|12 years ago|reply
[+] [-] tambourine_man|12 years ago|reply
[+] [-] peter303|12 years ago|reply
[+] [-] kolev|12 years ago|reply