Overriding nsLoginManager.js "off" in Fx.......

Hi forum members,

What are the security implications of adding the following two lines to Firefox’s nsLoginManager.js file (this file resides inside the Firefox components folder), e.g.
comment out the following lines:

Code: [Select]
if (element && element.hasAttribute(“autocomplete”) &&
element.getAttribute(“autocomplete”).toLowerCase() == “off”)
return true;
This is overriding the, default settings to enable the Firefox password manager for all websites, even those that request that the feature be disabled. Some folks that like complete control over their browser and what it does want to implement this (because they want to limit the amount of passwords they use for instance), but why should this be an unwise thing to do? Like to hear your arguments pro and contra. Background info:
http://dotancohen.com/howto/firefox_password_manager.html

luntrus

This is overriding the, default settings to enable the Firefox password manager for all websites, even those that request that the feature be disabled. Some folks that like complete control over their browser and what it does want to implement this (because they want to limit the amount of passwords they use for instance), but why should this be an unwise thing to do?

I dunno. I hate password managers.

Not because I’m afraid of security implications, it’s more of a hate towards people who don’t remember their passwords.

Let me try to explain. You set up a computer for a 60 year old man and teach him how to login to his email via a website.
If you let him click, “Save my password”, he eventually forgets it, because he’s been clicking the, “login” button for too long, and hasn’t entered his password for ages.

Then, his hard drive dies, and you’re expertise is called upon. You replace the hard drive, spend hours rebuilding the computer, and trying to recover old files. You get to the, “Email” part of it, and he can’t remember the password that he/she set up years ago, and have to go through methods of resetting it. Then, you realize it’s many more sites than just one that you have to reset.

BIG pain in the butt.

I’m guessing that this has to do with what you wrote. I can’t understand if you’re trying to turn off autocomplete or keep it on.

Anyway, my standpoint is to always make the user type their password, and to never have the system remember it. Plain and simple.

Of course, you can’t make everybody do this, but I warn as many people as I can to not let their “browser” remember their login info as much as possible.