“Remember Password” and Security Issues

"Remember Password" and Security Issues

Recently, we added a few new fields to our ticket submission form. This allows the customer to fill all relevant login details when submitting a support ticket, including their account username and password.

  • Please let me take this opportunity to remind you to use the helpdesk when submitting tickets. Try and avoid sending an email to submit a ticket. In the near future, we will be upgrading our helpdesk software, and we will be disabling email communication. There will be email notification, so you will receive the replies via email, but customers will be unable to submit a ticket via email. They will need to log in to the helpdesk interface to submit a ticket. This removes confusion as to whether we have received a ticket or not, and it is also more secure than email as we force the helpdesk to load using SSL.
Back to the topic, you are probably aware of the “Remember Password” feature in most browsers. You would probably also assume that the field name is used to store data in the browser, so that the data is only valid for that particular form, on that particular site. The following may be of interest to developers who deal with multiple forms on a single domain/site.

When we tried to implement similar field types for two separate forms within the same domain, what we found completely surprised us. Most browsers use the text description within the <form> tags to identify each field. This means that if you have two sets of forms, asking for the same type of data by text description, for example username and password, then the browser will attempt to autofill all forms under that domain with the data that may have been saved for another form. Most browsers completely ignore the fact that the field name/id is completely different in both forms.

Why is this relevant/important? Let’s say you have a billing system which allows the user to log in and check their invoices. At the same time, you have an option for that user to sign up for a new service and you ask for that user to provide a username and password for their new account. Most browsers will fill the username and password field with irrelevant data even though the html names of those fields are different to the login form. Not only is the data irrelevant but it is certainly can become a security issue if the multiple forms on a site are designed incorrectly.

There is a work around though. It is possible to tell the browser not to allow the “remember password” feature on certain forms. To achieve this, simply add the following code to the opening form tag:

autocomplete='off'


This, however, is only an official standard for HTML5, although from our testing most browsers will co-operate regardless of the document type. This technique can also be used to stop the browser from saving sensitive information such as credit card numbers.

On the client end, it is never a good idea to save passwords into a browser anyway. The data is not encrypted and can be easily viewed by anyone that has access to the browser. Instead, use tools such as Keepass (Open Source) or 1Password (Commercial) to store sensitive information such as login details.