I must be signed up as a user with an account on several dozen sites/apps on the web. As a result I spend an awful lot of time just logging into each of them on a daily basis.
Luckily browser vendors noticed this too and started enabling auto-completion of forms… they’d ask you after you submit a form if you want it to remember your form details for you… click yes and presto! the next time you visit it pre-populates the values automatically.
Gah! what about security! we can’t have these values just magically appear out of thin air! What if someone steals my laptop and then logs in to my accounts and does bad things!
Well yes – this isn’t always ideal… and so when I’m on a high security site like my “Secret Swiss Bank Account” I hope that the developers added the autocomplete=”off” attribute to either the entire form… or at least the password field. Thankfully developers for the various browser vendors agreed that there should be a way to turn off this feature for certain situations.
However its important to note that the times I don’t want my password saved are very few. If I sign into my local radio station’s web site to enter contests and such is the hassle of remembering and re-typing my password worth the hassle for the security it *might* provide me *if* my laptop is compromised? No – not at all… in fact I’m much more worried about my laptop being stolen for the financial cost of replacing it more than anything else.
Luckily I’m a developer too and thus if I encounter a site that has slapped on the autocomplete=”off” attribute to a form that really doesn’t need it (e.g. most) I can whip open my developer tools and switch the flag to on… submit… and presto! my browser saves the data for me.
However I’ve encountered a new issue that thwarts my efforts. Sites that slide in an overlay login panel with a username and password field… but NO actual form! They simply grab the username and password values at post to the server via AJAX.
This is one of those cases where using some “fancy pants” AJAX just because you can has actually reduced usability for users. I’m all for advancing user interfaces where there are gains in the aesthetics, performance, usability, speed, simplicity, touch-friendlyness, keyboard-friendlyness etc. however its important not to lose sight of the goal. In the case of a login page the goal is to get authorized users into the application/site as fast and as easily as possible… but with this “formless” form they’ve actually made it worse.
I’m going to contact the owner/author of the site in hopes that they can rectify the issue vs. drag their name through the mud. I’m sure this side-effect wasn’t intentional.