All geek questions in one place

Does password disconnection end automatically in Firefox?

Firefox recently began to ignore autocomplete = "off" for password fields and now allows the user to save passwords all the time. We have a large application used by thousands of users, and by law we must ensure that passwords are NEVER stored in plain text on our customers' computers.

Is there any way to prevent Firefox from saving these passwords? We found a workaround for Chrome (it only saves the first password field on the screen, so we added a hidden one to the real one), but we were out of luck with Firefox. For now, the only option we have is to completely disable Firefox support.

And yes, I understand that blocking a user from saving passwords is annoying, but we have no choice ... this is a requirement imposed on us by federal rules.

+5
source share
4 answers

This issue caused a lot of controversy in the office, but we came up with a solution.

Use the click button to submit the form (instead of the usual submit button). Then fill in your hidden field, delete the value of the visible field and send. JSFIDDLE

Select a sample event:

$('#post').click(function(e) { var password = $("#password"); var realPassword = $("#therealdeal"); realPassword.val(password.val()); password.val(''); $('#form').submit(); });

It appears that in the submit event, the browser will serialize the form and use the values โ€‹โ€‹of serlized objects to submit. That's why you can't just do something like

The sample does not work:

 $('#form').submit(function(e) { var password = $("#password"); var realPassword = $("#realpassword"); realPassword.val(password.val()); password.val(''); });

even though the value on dom is cleared before the true transfer occurs, it is still read from the object with the serialized form.

Tested in IE, Firefox and Chrome

+2
source

Use <input type=text autocomplete=off> instead. Password managers will not influence such control at all. It will not mask the characters that the user enters. Otherwise, it works the same as with type=password .

If the improvement in usability (without masking) is unacceptable for higher permissions, you need to create your own masking behavior (input catch events, changing the input to "*" or some other masking character, saving the actual input to a hidden field) or find a library tool who will do it for you.

+1
source

Firefox does not store passwords in its autocomplete database; he offers only to save them in his password manager. If the user supplies the "master password" in Preferences-> Security, the password manager database is encrypted. In addition, if you disable the password manager in Settings-> Security, the password manager will never store encrypted passwords or otherwise.

If your goal is to require that passwords never be saved in text format, trying to prevent them from being saved is not particularly effective. Users can always simply store a text file with passwords on their desktops.

Firefox is not alone, ignoring autocomplete="off" in relation to its password manager; Internet Explorer 11 also does this. The rationale behind Firefox for this change is at https://bugzilla.mozilla.org/show_bug.cgi?id=956906 . In essence, the consensus is that trying to require users to remember unique passwords for every site on which they have accounts leads to weak, reusable passwords and that the best strategy to avoid this is to use password managers. See also this topic: https://security.stackexchange.com/questions/49326/should-websites-be-allowed-to-disable-autocomplete-on-forms-or-fields .

+1
source

Here is my solution to a similar problem:

This code is executed after the page loads:

 setTimeout(function(){ $(".profile-form input[type=password]").val(''); }, 500);

Just wait a while (in this case, 500 ms) after loading the page before resetting the input field. I did not work without setTimeout.

-1
source

Source: https://habr.com/ru/post/1200802/

More articles:


All Articles