Wednesday, April 17, 2019 [Tweets] [Favorites]

Safari Auto-Submitting AutoFilled Passwords

Steve Troughton-Smith:

Safari’s new ‘submit form as soon as you choose from the autocomplete list’ is the quickest way to get locked out of your bank ever. As a universal default, that seems like such a bad idea

[…]

(I think the key part is that it doesn’t consider what happens if the autosaved password is wrong, and so will blind-fire at the site before giving somebody a chance to change it)

This has bitten me several times.

Kyle Howells:

That same sort of ‘presume we are always right’ problem happens with the new password autosuggestion, which covers over the password field and doesn’t let you edit the suggested password anymore.

If it guessed the password requirements wrong you can’t fix it.

Update (2019-04-18): Colin Cornaby:

I hate the way this bypasses the “Remember Me” checkboxes if you didn’t check them before autofill. From Apple’s end I’d guess the lack of cookies and cached logins is probably considered more secure though.

Andrew Abernathy:

As pointed out here, this behavior makes me much more worried about getting locked out of an account.

But beyond that, I dislike the interaction: there’s a “sign in” button on the page, and this preempts me from clicking on that in a way that doesn’t feel “right” to me.

Update (2019-05-01): Dave DeLong:

I generally really really like Safari and have very few complaints about it.

However.

rdar://problem/50369660 “Safari: STOP AUTOSUBMITTING PASSWORD FORMS”

7 Comments

I thought they had recently changed it so other password managers could not do this (i.e., 1Password could no longer do this).

It is mentioned near the end of this article:
https://blog.1password.com/1password-7.2-for-mac-welcome-to-the-dark-side/

Even worse now you don't have time to check "remember me" checkmark on the next line after the password. Who made this?

It also breaks logging in when there's a captcha verification required alongside username/pass. Ran into this problem already, and logging in fails endlessly despite using the correct password.

I have several accounts for Amazon and Paypal. I hope this wouldn't mean that I get aito-logged into one of them without being able to choose which one? That'd be catastrophic if I'd pay/buy things on the wrong account because of this.

@Thomas No, it happens after you choose which one.

The one that gets me regularly is the 2FA "SMS me a code". I click that, and then the field comes up to enter the code, and Apple offers me the existing codes (useless!). But then the message with the code arrives and Apple cleverly detects it and offers to fill it (hooray!). But when you click on it, it fills it and removes it from the prefill list, which moves the previous entries up under the mouse and immediately fills the previous entry. Sigh. A perfect example of how to snatch defeat from the jaws of victory!

This has been in STP for some time (couple of months at least). Seems to me its a bad idea. I really hate it.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment