New weird password manager behaviour

Gervase Markham gerv at mozilla.org
Thu Dec 22 17:01:05 UTC 2016


(If this isn't the right place for this discussion, please tell me where
is.)

On 22/12/16 15:35, Jared Wein wrote:
> There are a few motivations behind this feature:
> - Some websites separate the username and password on different pages
> now. Because they are on separate pages, we need some way to tie what
> password should be entered in on the second page.

My impression was that sites were simply hiding the password field and
then showing it later, and they were doing this so that they didn't
break all the password managers in the world. Is that not right? Are
they in fact breaking all the password managers?

Can we not detect what username was submitted on the first page and
prefill the appropriate password on the second page? Or have a standard
where the username is repeated in a read-only form field, perhaps
hidden, that we can trigger off?

> - On password reset pages, there are often not any login fields, so we
> still want a way to choose which password should be placed in the
> "original password" field.

I think in this particular case, it would be more intuitive if there was
a little icon you could click that would then open a "Select username"
list, and when you chose one, it prefilled the password. Opening
something that looks like an autocomplete strongly suggests that
whatever you pick is what's going to appear in the field - and because
what appears is actually a line of dots, you can't tell whether that's
what's happened or not.

This could perhaps be mitigated if the entries instead were in italics
and grey, like placeholder text, and said:
Password for gerv at mozilla.org
Password for gerv at mozilla.com
That would make it more clear that it was the password to be filled, not
the actual text you click on.

> - On webpages that have both a username and password, the password field
> often comes after the username. The autocomplete dropdown only shows up
> when the field is empty,

That's simply not true - or, if it's supposed to be true, this is
broken. When I load expensify.com, I get:

gerv at mozilla.com prefilled in username
my password prefilled in the password
a one-entry dropdown auto-opened below the password field, with that
single entry being "gerv at mozilla.com".

Why?

Also, on field where there is just a password, such as:
https://lists.mozilla.org/admindb/legal
I get a pre-filled password, and an auto-opened 3 entry dropdown listing:
No username (4 Feb 2015)
gerv at mozilla.org
Gervase Markham

I have no idea where it's getting that data or what it relates to. But
this page only takes a password, there's no username associated, so this
is also deeply confusing.

> so most users will not see it unless they try
> to enter in their password first. This is also why we don't autofill the
> username portion in this case, because if someone is going backwards
> (password first, then username), there is a high chance that the user
> may want to share a password between accounts.

I don't follow that, sorry. Why would someone enter their password
first, and then username?

Gerv



More information about the firefox-dev mailing list