For a system that I’m working on that I plan to, at some point, release as open source product, I am going to implement a system so that, to get the specific pages, you need to enter your password even if you are logged in. If you do, you will remain “super-authed” untill you close the browser. This would prevent, ie, my little sister to use my laptop, go to my website and have full power because I’m still logged in. But as I was working on it, a question arose: How good is this, taking into account that most people will just end up storing the password in their browser. Obviously, there are ways around that. (Using a random name for the password field each time is probally enough.) But, by doing that, I will be breaking browser functionalities. Do I really want to do that?
-
Archives
- January 2013
- August 2011
- January 2011
- October 2010
- September 2010
- August 2010
- July 2010
- May 2010
- April 2010
- January 2010
- December 2009
- October 2009
- August 2009
- February 2009
- November 2008
- October 2008
- June 2008
- May 2008
- February 2008
- December 2007
- September 2007
- July 2007
- April 2007
- March 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- June 2006
-
Meta
<input type=”password” autocomplete=”off” />
Done.
I don’t think it’s a big deal if you do that.
While in general I prefer to let a user keep control of his or her browsing experience, there’s always the exception to the rule. In a case like this, it’s reasonable to prevent users from automatically filling out password forms–that’s extra security, after all. And it’s not like you’re adding 300 layers of security complete with a CAPTCHA image, and ID image, a question, an ID phrase, and whatnot. 😛
*cough* My bank sucks *cough*
Wow, Seth, I had no idea there was such a thing.
Seems like I’ll need to use a custom doctype for this though and I’m not sure I’m 100% comfortable doing that just yet. (Knowing me, I’ll break more this I fix when doing something like that.)
It’s an interesting question you pose, Jory. While some may find it an annoying quirk, I think that an extra layer of security like what you proposed is worth it. I used to worry about family members messing with things that I stay logged into. Now I generally lock my sessions if I’m going to be gone for any extended period of time. All in all, I don’t think it’s unreasonable to limit unessential functionality for security’s sake.