In the short term for the home user I sort of agree, but IMO the fact that there has been no notification for the average user that something has changed is wrong. That it’s a difficult opt-out vs. an easy opt-in ‘feature' is also the wrong paradigm for introducing this. In effect, most users don’t even have a choice here — they think all their favorite websites suddenly started to allow Chrome to remember their password and just went with it [gets into some legal issues as well, but that’s *way* off topic].
For enterprise, this is just going to raise the anxiety about BYOD; even moreso when the same feature inevitably migrates to the mobile version as well. Ultimately, taking control away from the individual web developer is not the right way to solve this problem over the long term. It’s a real problem, but we should be educating the web developer and teaching him / her what is and is not an appropriate place to turn autocomplete off is. We should be working to facilitate alternative strong login methods (Chrome Keystore anyone? Browser-based biometrics?). Even doing this as an opt-in but then requiring a good password on your Chrome password store would have been a huge improvement. But Google didn’t do any of that; they just decided they knew better and acted. As to CAS, I concur that there’s no reason to do anything about it, if for no other reason than that if you read the threads, Google is actually trying to defeat the workarounds as well. it’s the new normal. -- Ne Desit Virtus, Sean R. Baker On Jul 23, 2014, at 1:44 PM, Marvin Addison <marvin.addi...@gmail.com> wrote: >> I (lately) discovered this very undesirable feature of Google Chrome 34 >> which propose the user to save its password even if autocomplete is off > > I salute them for that choice! > >> The only remaining solution is to hack the login page for example by adding >> hidden input fields (see http://stackoverflow.com/a/22694173/2008215 ). >> >> Do you think we should import this hack in the CAS server? > > Strongly recommend against it. > >> How to manage it? > > Leave it up to user choice. I have the "autocomple=on" extension in > Chrome, and I'm happy to learn I'll no longer need it. I would imagine > you'll have an "autocomplete=off" extension in the near future, and I > would recommend you offer it to your users. I think putting the choice > of credential storage in the users' hands is exactly where it belongs. > > M > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > sean.ba...@usuhs.edu > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
