[iOliverC]

Hi guys,

I use Safari with my internet banking site, and as usual, the username they gave me is pretty cryptic, meaning I have to read it to type it. For security reasons I guess Safari does not save its password like every other site, I'm wondering if there is a way to force it to save? Firefox does have an extension to force save passwords, but I'd really like to use Safari.

Thanks
Oliver

[TETENAL]

Your bank disallows this for good reasons. Safari obeys this for good reasons. If Safari wouldn't banks would block it.

If your username is too cryptic, save it a s a secure not into a keychain. I suggest you use another keychain not your usual log-in keychain and use a different password for this keychain. Keep it locked.

I have a "Notes" keychain for similar purposes.

[Millennium]

There are two ways that browsers save passwords: as ordinary cookies (for sites coded to use them), or in a special password database. In order to use the password database, however, the browser has to be able to figure out if a given form is a username/password combination. The password part is easy to figure out, but not always the usernames.

The point behind this is that if sites can code themselves so that browsers know about a user/pass combination, they can also code themselves so that browsers don't know about the combination, and therefore don't save it. Banking sites do this for good reasons. Store your password in a more secure manner.

[TETENAL]

Originally posted by Millennium:
The point behind this is that if sites can code themselves so that browsers know about a user/pass combination, they can also code themselves so that browsers don't know about the combination, and therefore don't save it.

It's not that banks code the page so that the browser can't figure out the user/password fields, the banks explicitly turn off saving those form values with autocomplete="off". Browsers need to respect this if they don't want to be blocked by banks.

[Millennium]

Originally posted by TETENAL:
It's not that banks code the page so that the browser can't figure out the user/password fields, the banks explicitly turn off saving those form values with autocomplete="off". Browsers need to respect this if they don't want to be blocked by banks.

That field isn't standard, and so it can't be used by any company that wants to support multiple browsers.

The easiest way to code a page so that a browser can't figure out the user/pass field is simply to give the username field a nonobvious name. Password fields are easy to find; simply look for an input field of type "password". There is no "username" field type, though. To find a username field, therefore, you need to look for its name. Browsers know to look for obvious things like "username", "login, "userid", "uid", and things like that.

To prevent a browser from figuring you where your login/pass fields are, you simply give the username field a nonobvious name. Something silly like "batman" or "pikachu" works just as well from a programming perspective -it's only a name, after all- but it keeps the browser from understanding that this field is used for usernames.

[iOliverC]

Hi guys,

Despite the security risks, is there no way to do this at all then (thanks for the explanations)?

I haven't actually got the bank site bookmarked, so it'd be pretty hard for someone to guess (if I delete my history).

Thanks,
Oliver

[Rainy Day]

Originally Posted by TETENAL

It's not that banks code the page so that the browser can't figure out the user/password fields, the banks explicitly turn off saving those form values with autocomplete="off". Browsers need to respect this if they don't want to be blocked by banks.

Here’s a program, called Autocomplete Always On!, which will patch WebCore (Safari’s HTML engine) to ignore the flag.

Enjoy!