undefined | Better HN

0 pointsTobani8y ago0 comments

There are a couple of reasons to actively prevent autofill passwords. The only one I have seen for login autofill prevention is when the password is actually a generated token (ala yubikey,etc) and a password manager won't do the right thing by default.

There are regulatory bodies that require regular challenge of user identity for approving items as sort of a signature mechanism. This is another time where active thwarting the password manager makes sense. Whether or not the regulation makes sense is an entirely different issue.

0 comments

sowbug8y ago

Those are good reasons, and I appreciate when the attribute is used properly in these cases. It's annoying to have to say "no, don't remember this updated password" to my browser every single time I visit certain sites that ask for OTPs that my browser wants to autofill.

In the token case, I wonder whether they should have been password fields to begin with. Replacing a 6-digit OTP with asterisks is of questionable benefit, because the shoulder-surfer it thwarts can't reuse the OTP and is really unlikely to swipe it and use it before you do.

j / k navigate · click thread line to collapse

0 pointsTobani8y ago0 comments

0 comments

sowbug8y ago

j / k navigate · click thread line to collapse