Principle of Least Astonishment [Edit x1]

Filed under: technology, rant by tamber
23 June 2010 @ 18:30

Okay, web developers, It’s time we had a chat. You know that little thing you keep doing with password fields, autocomplete="off"? Yes, that violates the Principle of Least Astonishment. It’s also frustrating and (believe it or not) makes things less secure.

If I tell my browser to save passwords, I want it to (surprise, surprise) save passwords. What right do you have to override my preference? This misguided, halfarsed attempt at security is making my life a pain, because my browser isn’t saving passwords when I expect it to. So you know what I have to do with my passwords instead? I have to write them down. And that reduces my security and convenience; because now not only is my password on a piece of paper that anyone can read (Rather than in my password manager, where only I can read them.), but it’ll inevitably end up getting lost and I’ll have to reset my password (And the whole cycle starts again.)

So, please, stop trying to make security decisions for me; because I know what to do with my passwords better than you do. (Out of interest, what do you do? Use the same, easy-to-remember (but horribly insecure) password for all your sites? Have a notepad with all your passwords on? Or are you the kind of person who can remember the countless random 12-character alphanumerical passwords you have for everything?)

My current solution, because no-one will read this and stop forcing their idea of security on me; is to edit the function _isAutoCompleteDisabled in nsLoginManager.js to always return false, which lets my browser save passwords like I intended.

Better solution: Greasemonkey and the following script. // ==UserScript== // @name Turn ON autocomplete // @namespace // @include * // ==/UserScript== (function() { function turnAutocompleteOn(element) { if(element.hasAttribute('autocomplete')) { element.setAttribute('autocomplete', 'on'); } } for(formKey in document.forms) { turnAutocompleteOn(document.forms[formKey]); } var inputs = document.getElementsByTagName('input'); for(var i=0; i