Disable password managers

leatherback

Dear All,

Very often I get the request to save parameters for forms. Is tere a simple way of preventing these scripts to work? If so: How do I do it?

I really do not like the idea of passwords to secure sections of a site to be stored in a browsers' passwordlist

thax,

justsomeone

Nope. Well, maybe "Nope and Yes".

There is nothing you can do to disable stuff like that. When you get a username and password sent to a login form, you have no way of knowing if the user just remembered the details, had them returned by a password manager, had them stuck on a postit on their computer screen, yelled out to Kate in reception to tell him the password, or, or, or... You have no way of knowing.

What you can do, but it would probably involve a lot of coding from your end is not to require the full password at all. For instance, you could require people to have an eight-digit-PIN (either of their choosing, or decided by you). Then, when they want to log in, instead of asking for the full PIN, ask for 3 or 4 random digits from it.

Please enter the first digit of your PIN:
Please enter the fourth digit of your PIN:
Please enter the second digit of your PIN:

Disable logins on the account after 3 failed attampts, requiring some proof of entitlement before resetting things.

This will make it very difficult for password managers etc. It will also make life tougher for network sniffers, overtheshoulder-peekers, keyloggers, etc etc