In this day and age, most web browsers offer some sort of a form autocompletion feature. IE, firefox, opera, saphari all have it. The browser will offer you to store your logon information and common form fields such as first name or address and fill them into appropriate forms. As far as I am concerned this feature was a blessing for the web security. Now, you would think, a user can choose proper, secure passwords for his various web sites without writing them down on sticky notes and without reusing the same ones over and over again.
Unfortunately this is not entirely true, since not one browser I know would allow for an easy and obvious way to backup the passwords and an easy and obvious way to use these from a portable medium such as a USB key or a mini CD. I know, that with a bit of skill, you can export IE and opera settings and backup firefox profile, but who is going to bother? This should be something the browser does for you transparently, for people to actually get into a habit of using such a feature properly. But back to the point. In Microsoft implementation, the autocomplete doesn't automatically fill the fields. If you go to a login page of some site it will present you with a choice of usernames and once you pick a username it will fill in the password if it was stored. Not very secure. Especially considering that by default every time you fill a form IE will prompt you to turn autocomplete on and once it is on, there is no indication, that your username is being stored. It will prompt for password. So, on a publicly accessible computer this feature becomes a privacy and security horror?
Not really. If you do not turn this feature on by default and do not bug user about it, no one in their right mind will turn it on on a public computer and a nicely evil restrictive user policy will help against those not in their right mind. Firefox also has a similar feature, where it will ask to remember your username and password, but the default answer is no and it will not remember your username by default without asking. So, what is the Microsoft solution? In IE 5.5, a new feature creeps in. The autocomplete attribute. Now anybody who is trying to design a login form can turn off the autocomplete for a particular form, or even for a particular control. Firefox, in a fit of moronic exitement, follows suite and implements support for this new non-standard attribute without thinking about consequences. I am fairly sure Opera recognizes autocomplete as well. So, for example, when browsing Chase online banking site you are not going to be prompted to remember the password you are entering. So, this is a good thing. You do not want to leave your bank account wide open, do you? No, I am not. But this is not a good thing. Why? Because it takes control over security from me, the user. Now, Chase Manhatten Bank decides that my bank login information is sensitive enough not to store it anywhere and not me. A lot of sites follow suite and use autocomplete attribute left and right without any regard to the actual risks of user accounts falling into the wrong hands. Some web site analyzer programs actually throw out a warning if they find a password field without autocomplete=off. So, now I cannot decide for myself if particular piece of information is important or not, this has been decided for me.
Promoting personal freedoms is a good thing, but do these restrictions actually help. Lets imagine a scenario where it helps. A user comes to an internet caffe and goes to check his bank account. When prompted to save his account information on a public computer that doesn't belong to him he inexplicably clicks yes (and mind you that just hitting enter wouldn't help, since even IE doesn't choose to store the password by default) and walks away. The next person goes to the same computer, happens to be an evil bandit, finds his username and voila all his money is gone, all his base are belong to us and the bandit is in his base killing his dudes. Well, this is bad, so instead we never offer him to remember his password. So, to accomodate to the fact that he has to remember his passwords once again by himself, the user in our example and a lot of other users revert back to the ways I described at the beginning of this post. They use the same password everywhere (or two, or three), they choose simple, easy to remember (and easy to crack) passwords, they leave sticky notes with passwords on the monitor etc. etc. etc. So to protect some shmuck who doesn't know that fire burns and guns kill MS have inconvenienced a lot of reasonable people into lowering their defenses. Is that still a Good Thing?