R – When to disable “save password” functionality on your login form

cross-browserlanguage-agnosticSecurity

I have a public-facing website that is used to manage business infrastructure equipment for my clients. A security breach on this website could cause expensive problems for clients.

A number of different websites–mostly banks, health care, and government–disable the "save password" dialog from appearing in Firefox, IE, and other browsers citing security concerns. I'm talking about the box/bar that appears after you enter your login information, so the browser can auto-populate the username/password fields for you the next time your visit that site.

My question is not how to disable, because that is answered in the Disable browser 'Save Password' functionality question.

What I want to know is:

What are some cases in which it is absolutely essential to disable "save password" functionality? Do such cases exist?
Does this technique really provide any additional security? In other words, won't people find a way to leak their passwords despite your best efforts?
Do users complain about removal of "save password" functionality?
Any other thoughts on when to disable "save password" functionality?

Best Answer

I complain about it ;-) I was actually just thinking about this today because my online banking site disables password autocompletion and it's really irritating.

While not a majority of computer users, there are plenty of people who know how to manage their passwords securely, and for them it's really irritating when websites disable the password field autocompletion because it means they need to do something like, say, writing the password down, or picking a simple one that's easy to remember - neither of which makes them happy, because as I said, these are people who take password security seriously. Using a browser's password manager is pretty much the best compromise between security and convenience we have. And the annoying part is, if a website tries to disable autocompletion there's no easy way to tell some browsers to ignore that. (In Firefox it requires hacking some Javascript file)

This also ties into the thing Joel once wrote about how users, erm, people like to be in control of their environment. They're much less likely to use (or at least like) a program or website that takes it upon itself to decide that they can't be trusted with a password manager.

Related Solutions

Disable browser ‘Save Password’ functionality

I'm not sure if it'll work in all browsers but you should try setting autocomplete="off" on the form.

<form id="loginForm" action="login.cgi" method="post" autocomplete="off">

The easiest and simplest way to disable Form and Password storage prompts and prevent form data from being cached in session history is to use the autocomplete form element attribute with value "off".

From https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

Some minor research shows that this works in IE to but I'll leave no guarantees ;)

@Joseph: If it's a strict requirement to pass XHTML validation with the actual markup (don't know why it would be though) you could theoretically add this attribute with javascript afterwards but then users with js disabled (probably a neglectable amount of your userbase or zero if your site requires js) will still have their passwords saved.

Example with jQuery:

$('#loginForm').attr('autocomplete', 'off');

Sql-server – Removing the remembered login and password list in SQL Server Management Studio

Another answer here also mentions since 2012 you can remove Remove cached login via How to remove cached server names from the Connect to Server dialog?. Just confirmed this delete in MRU list works fine in 2016 and 2017.

SQL Server Management Studio 2017 delete the file C:\Users\%username%\AppData\Roaming\Microsoft\SQL Server Management Studio\14.0\SqlStudio.bin

SQL Server Management Studio 2016 delete the file C:\Users\%username%\AppData\Roaming\Microsoft\SQL Server Management Studio\13.0\SqlStudio.bin

SQL Server Management Studio 2014 delete the file C:\Users\%username%\AppData\Roaming\Microsoft\SQL Server Management Studio\12.0\SqlStudio.bin

SQL Server Management Studio 2012 delete the file C:\Users\%username%\AppData\Roaming\Microsoft\SQL Server Management Studio\11.0\SqlStudio.bin

SQL Server Management Studio 2008 delete the file C:\Users\%username%\AppData\Roaming\Microsoft\Microsoft SQL Server\100\Tools\Shell\SqlStudio.bin

SQL Server Management Studio 2005 delete the file – same as above answer but the Vista path. C:\Users\%username%\AppData\Roaming\Microsoft\Microsoft SQL Server\90\Tools\Shell\mru.dat

These are profile paths for Vista / 7 / 8.

EDIT:

Note, AppData is a hidden folder. You need to show hidden folders in explorer.

EDIT: You can simply press delete from the Server / User name drop down (confirmed to be working for SSMS v18.0). Original source from https://blog.sqlauthority.com/2013/04/17/sql-server-remove-cached-login-from-ssms-connect-dialog-sql-in-sixty-seconds-049/ which mentioned that this feature is available since 2012!

Best Answer

Related Solutions

Disable browser ‘Save Password’ functionality

Sql-server – Removing the remembered login and password list in SQL Server Management Studio

Related Topic