Making password managers play ball with your login form

Published 2018-01-13 front-end
by Hidde de Vries

Secure passwords are long and unique. Therefore, remembering them all is impossible for most human beings. Hence the popularity of password managers. If you’re building a login form, these are some tips to improve the experience for password manager users.

With ‘playing ball’ in this post, I mean that password managers recognise your login form and let you use their features on your fields. Things like password generation, offering to save credentials for a host name and filling in the password for you in a secure way. Ideally, password managers work in both of these cases: on first time visit (when they offer to store credentials) and on recurring visits (when they let you use stored credentials).

1Password suggesting Browserstack credentials to be used for site 1Password recognises it has a pair of credentials for this site

Password managers come with all sorts of heuristics to detect username and password fields. Yet, they sometimes still fail to recognise them. For this reason, Firefox’s password manager complements its heuristics with a recipe system, where users can describe specific instructions for specific hosts. I believe some password managers have hard-coded field recognition for popular websites in order to make them work.

You might think, isn’t recognising my fields the job of a password manager? Isn’t this their problem? I have good news. Mostly, yes. Password managers are built to work with all login forms that follow best practices. Doing nothing special is an option. It will often give you a form that performs well across password managers. But if things don’t play out, this post may contain some pointers to look at.

Password manager popup add to last pass Last Pass playing ball

Security considerations

Password managers that automatically fill in credentials can be prone to coffeeshop hacker attacks (over HTTP) , as shown by Silver, Jana et al in their paper Password Managers: Attacks and Defenses (pdf). They also provided a number of measures that password managers can take to prevent this, including only allowing filling in passwords after user interaction.

There is also a risk of leaking password information to third party scripts. The article explains actions against this include having the login form on a separate domain, ad blockers, and disabling autofilling altogether (as Safari will do by default). At the same time, more transparency could be provided with browser warnings or permission requests before autofilling.

Make sure your form fields are in a <form> element that has an action and a method attribute defined on it.

Another think to look for, is that input elements are associated with a label through their ID (with for) or by being wrapped in one.

Using the right input type can also help: type="text" or type="email" for the username / email address, and type="password" for the password.

The autocomplete attribute on your username and password inputs can help password managers or browsers figure out what your fields are for. Actual autocompleting, as mentioned above, could be a security risk, if it is done by password managers on page load, rather than after user interaction, or if it happens on pages where protocol or host name are off.

Major browsers ignore autocomplete=”off”, some do this specifically for username and password fields, as they deem it more secure than users using very easy-to-remember passwords.

Google recommend using autocomplete attributes, and their advantages also appear in the spec (yes, there’s a spec!):

The autocomplete attribute offers a declarative mechanism by which websites can work with user agents to improve the latter’s ability to detect and fill sign-in forms by marking specific fields as “username” or “password”, and user agents implement a wide variety of detection heuristics to work with websites which haven’t taken the time to provide this detail in markup.

(Source: Credential Management spec)

For usernames

For the username field, you can add autocomplete="username".

For passwords

For new passwords, for example during account creation or in a password reset process, it’s autocomplete="new-password". For current passwords, for example in a login form, it’s autocomplete="current-password".

Both 1Password and LastPass have various recommendations related to unexpected behaviour. Well-built login screens:

  • try to stay away from dynamically adding and removing fields
  • don’t regularly change names or IDs (or, worse, populate them dynamically)
  • have the form on the page on first render from the server
  • avoid method=GET and XHR requests for logging in (it can work, but it is harder)
  • use the placeholder attribute as it is intended
  • steer clear from mimicking a password field with a regular field so that you can do things like showing the last character

The message here is: keep it as simple as you can. This helps both users and password managers.

Multi-page login forms can make sense, for example if there are different login options based on the type of user. With this kind of login pages, some password managers, including LastPass, may not play ball. I’ve found that LastPass will not work on first time visits, when your password field is hidden or in a hidden element (more on the hidden attribute). In others, including 1Password and the built-in managers of Chrome and Firefox, this problem does not exist.

In my situation, ‘pages’ were just divs on the same page, with only one of them not hidden. That caused LastPass to not do its first time visits thing. I consider this a bug in LastPass, or overly enthusiastic heuristics at the very least. I found out that if I used something like opacity: 0; it did not fail. This would cause a weird user experience, as opacity only visually hides elements, leaving them available to access by keyboard or Assistive Technologies (AT). Sometimes, and in this case, accessibility is about making something inaccessible to all, at the same time (i.e. when temporary hiding certain screens in a flow).

What I ended up going for is this: I used data-hidden instead of hidden, with CSS that only visually hides. In addition, I added the inert attribute (and its polyfill, as it has no browser support), to make sure the elements are not only invisible, they are also unavailable to use (until they should). Unavailable not only visually, but also for keyboard and AT users. It’s hacky, but it did circumvent LastPass’ bug.

Password managers are essential to secure internet usage, so making our login fields work with them is extremely important. This will mostly happen automatically if you follow best practices. The autocomplete attribute can make it easier for password managers to recognise your fields. Using hidden attributes can make password managers fail altogether. This can be hacked around, but I do not recommend doing so, unless absolutely necessary.

Many thanks Job, Krijn, Mathias and Henrik for suggestions and feedback

Comments, likes & shares (15)

Bart van de Biezen, Shawn Medero and Kees de Kooter ???? liked this

Bart van de Biezen and Kees de Kooter ???? reposted this

Hidde de Vries (@hdv@front-end.social) is a web enthusiast and accessibility specialist from Rotterdam (The Netherlands). He currently works on web standards for the Dutch government and is a participant in the Open UI Community Group. Previously, he worked for W3C (WAI), Mozilla, the Dutch government and others as a freelancer. Hidde is also a public speaker, he has given 73 talks, most recently in Virtual. In his free time, he works on a coffee table book covering the video conferencing apps of our decade. Buy me a coffee Follow on Mastodon Follow on LinkedIn wrote on 6 September 2022:

WCAG 2.2 is the next version of the Web Content Accessibility Guidelines, published 5 October 2023. It includes all of WCAG 2.1, minus 4.1.1 Parsing, plus nine new criteria. Of those, six are in Level A + AA, the most commonly tested combination of levels.

Let's look at how you could meet the new Level A + AA criteria (note: this is just my summary and interpretation, for the official specification and wording, refer to WCAG 2.2):

  1. Focus Not Obscured (Minimum) (2.4.11, AA): don't obscure the element that has focus (eg with sticky headers/footers or modals)
  2. Dragging Movements (2.5.7, AA): when some action in your UI requires dragging, ensure the same action can also be performed without dragging (with a “single pointer”). Example: a map that can be dragged to move around, but also offers buttons to move up, down, left and right.
  3. Target Size (Minimum) (2.5.8, AA): ensure that things you can click (or otherwise “point”, eg using pen, touch etc), are more than the specified minimum size, unless there's enough distance, it's inline or the small size is “essential”
  4. Consistent Help (3.2.6, A): if your page/app contains help options, they are in the same order across pages (unless user zooms/turns device; these kinds of user-initiated changes are excepted)
  5. Redundant Entry (3.3.7, A): avoid that users have to enter the same information twice, instead auto-populate or allow previous input to be selected. Some exceptions apply.
  6. Accessible Authentication (Minimum) (3.3.8, AA): if your auth requires a “cognitive function test” (user has to remember, manipulate or transcribe), offer a way without such a test, or allow for assistance (eg support password managers, don't block copy/paste)

One SC was removed: Parsing (4.1.1). It existed because assistive technologies had to parse HTML, but they no longer do so directly.

Notably, the new SC Focus Appearance (2.4.13), that was initially put in Level AA, is going to be Level AAA. It has requirements for what focus styles look like, regarding contrast, size of the contrasting area and contrast of adjacent colors (this one may be the most tricky and “at risk”, but there's a lot of examples in Understanding Focus Appearance)

An overview of the new criteria, including examples of how they are useful to real people can be found on What's new in WCAG 2.2.

List of updates
  • 5 October 2023: WCAG 2.2 comes out today, updated intro to match that.
  • 18 September 2023: The post said “Accessible Authentication” was Level A, but it is AA. Updated this (thanks Jules!).
  • 18 July 2023: Removed comment on Focus Visible level change (to A) as it was changed back (to AA); renamed and renumbered Accessible Authentication; renumbered Focus Not Obscured; added removal of Parsing.
Thanks to the Accessibility Guidelines Working Group (AGWG) at the W3C or all their work on WCAG and this latest version. Thanks James Edwards for feedback on my Dragging Movements example.