SEARCH

How-To Geek

How To Force Your Browser to Remember Passwords

image

If you use the password manager built into your browser for remembering all your web logins, or are considering it in light of the recent events with LastPass, you have (or will) inevitably come across certain sites which simply will not allow you to save your password. However, with a simple click or two of your mouse, you can work around this limitation and force your browser to remember the password on these uncooperative sites.

Editor’s Note: of course, if you’re using LastPass, this functionality is built right in. This article is for those that prefer to use the built-in browser password saving instead of putting their passwords in the cloud.

Why won’t some sites allow me to save the password?

This answer is quite simple, it is due to the “autocomplete” attribute on form and/or input elements being set to “off”. This attribute was introduced by Internet Explorer 5 and does what its name suggests, prevents auto-complete functionality from applying to any field which has it explicitly turned off.

As you can see here on PayPal’s site (which does not allow you to save your password), the login section has the autocomplete value set to off for the password field. As a result, the browser will not pick up this field for its auto-complete password database.

image

The Fix: A Simple JavaScript Function

Fortunately, the fix is equally as simple. We merely need to change the value of this attribute, wherever it is present, to “on”. Thanks to the ability of JavaScript to manipulate the DOM (document object model), you can easily do this with the click of a bookmark.

The JavaScript function is embedded in the link below. You can either drag the link to your bookmark bar or right-click on it and bookmark the target link. Once this is done, simply clicking on the bookmark will run the “Allow Password Save” script on the current page.

Allow Password Save

If the link above doesn’t work then here is the source for the link. You can create a bookmark with the following as it’s source URL:

javascript:(function(){var%20ac,c,f,fa,fe,fea,x,y,z;ac="autocomplete";c=0;f=document.forms;for(x=0;x<f.length;x++){fa=f[x].attributes;for(y=0;y<fa.length;y++){if(fa[y].name.toLowerCase()==ac){fa[y].value="on";c++;}}fe=f[x].elements;for(y=0;y<fe.length;y++){fea=fe[y].attributes;for(z=0;z<fea.length;z++){if(fea[z].name.toLowerCase()==ac){fea[z].value="on";c++;}}}}alert("Enabled%20'"+ac+"'%20on%20"+c+"%20objects.");})();

From our testing (using PayPal as the test site), this worked as expected in Firefox 4 and in Internet Explorer 9. Unfortunately, we could not get it to work within Chrome despite the success message that autocomplete was enabled.

The procedures for using it are almost identical in each browser with Internet Explorer requiring one additional step.

Usage in Firefox

When you visit a site that does not allow you to save your password, run the “Allow Password Save” script. You should see a notification like the one below.

image

Enter your user name and password like normal and upon logging in, you will be prompted to save your password.

image

The next time you visit the page, your user name will be filled in automatically, but not the password. In order for the password to be auto-filled, you first have to put the focus in the user name field. You can use either a mouse click or Ctrl + Tab if the password field has focus.

image

Now when you move the focus from the user name field either with a click or Tab, your password will automatically fill in.

image

Usage in Internet Explorer

When you visit a site that does not allow you to save your password, run the “Allow Password Save” script. You should see a notification like the one below.

image

Enter your user name and password like normal and upon logging in, you will be prompted to save your password.

image

The next time you visit the page, your user name will be filled in automatically, but not the password. You will need to run the “Allow Password Save” script again and you should see the same notice as above.

image

In order for the password to be auto-filled, you first have to put the focus in the user name field. You can use either a mouse click or Ctrl + Tab if the password field has focus.

image

Now when you move the focus from the user name field either with a click or Tab, your password will automatically fill in.

image

JavaScript Source

If you are curious how the script works, here is the well formatted and commented source. Feel free to modify it as you see fit.

function() {
   var ac, c, f, fa, fe, fea, x, y, z;
   //ac = autocomplete constant (attribute to search for)
   //c = count of the number of times the autocomplete constant was found
   //f = all forms on the current page
   //fa = attibutes in the current form
   //fe = elements in the current form
   //fea = attibutes in the current form element
   //x,y,z = loop variables

   ac = "autocomplete";
   c = 0;
   f = document.forms;

   //cycle through each form
   for(x = 0; x < f.length; x++) {
      fa = f[x].attributes;
      //cycle through each attribute in the form
      for(y = 0; y < fa.length; y++) {
         //check for autocomplete in the form attribute
         if(fa[y].name.toLowerCase() == ac) {
            fa[y].value = "on";
            c++;
         }
      }

      fe = f[x].elements;
      //cycle through each element in the form
      for(y = 0; y < fe.length; y++) {
         fea = fe[y].attributes;
         //cycle through each attribute in the element
         for(z = 0; z < fea.length; z++) {
            //check for autocomplete in the element attribute
            if(fea[z].name.toLowerCase() == ac) {
               fea[z].value = "on";
               c++;
            }
         }
      }
   }

   alert("Enabled '" + ac + "' on " + c + " objects.");
}

Jason Faulkner is a developer and IT professional who never has a hot cup of coffee far away. Interact with him on Google+

  • Published 05/16/11

Comments (45)

  1. jon_hill987

    There is normally a good reason why these sites have auto-complete disabled. I don’t really want my bank password being filled in if someone steals my computer and looks through my history for example…

  2. Bart

    Bookmarklet link is bad.

  3. Andy

    This is a huge security breach! At least in Firefox’s biult in pass manager password are stored in plain text!

    Just use LastPass or KeePass.

  4. Nick

    The link is bad, doesn’t work right for this or any other page for that matter it seems. Can we get a new one please?

  5. Matt V.

    “in light of recent events with Lastpass”

    Media sensationalism. You write that without explanation which means you imply there was a breach of security. You could have easily left those few words out unless you yourself are ignorant of the facts. If you aren’t, then why imply to those who don’t know there was a security problem?

    Lastpass was very forthcoming about an anomaly and took the paranoid “better to be safe than sorry” approach and asked some users to change their master password. An actual breach was highly unlikely. Even *if* there was, all that could be gotten is a bunch of *really* strong encrypted garbage. Then if they wanted to try and brute force it, your data is as strong as the master password you select.

    So if you select “12345″ as your MP, you only have yourself to blame (“I have that same combination on my luggage!”). Then if you change your MP as they suggest, then brute forcing the encrypted data is nigh-impossible.

    I continue to use Lastpass per the recommendation of well-respected security experts and I don’t have to use insane procedures such as this that actually compromise your local security.

  6. Jason Faulkner

    It appears the site is automatically prefixing the URL to the bookmarklet link. I have added the bookmarklet source until this is fixed.

    @Andy – No they are not. If you put a master password on your PW’s, they are encrypted using your master PW as the key.

    @Matt V – I as well aware of the LastPass events and call me paranoid, but I don’t trust a 3rd party service with the “keys to the kingdom” so to speak. Look at what happen with DropBox… the data was supposedly encrypted on their side, but it turns out they can access the raw files if compelled to do so. I personally believe I can protect my data better than any publicly available 3rd party website, no matter how secure they claim to be.

  7. Cambo

    @Jason – with regard to LastPass

    I’m not sure you’re fully up to speed on how LastPass works.

    Have you actually taken the time to read LastPass’ whitepapers on how your data is encrypted locally first, then stored in their databases?? They don’t even have your Master password. Your Master password is stored locally, and can only be used to decode or encrypt the data. Even if they were hacked and the data stolen, it would take hundreds of years for a decryption utility to attempt to break it.

    Plus, there was no confirmation of an actual breech. They noticed a data anomaly, and warned everyone ahead of time. Then they forced additional Authentication methods if you’re coming from an unrecognized IP. +1000 for being proactive. Stuff happens- it’s when people are kept in the dark about it that pisses people off.

    Secure? Yes. But only as secure as you make your passwords.

  8. Jason Faulkner

    @Cambo – As I understand it, LastPass works the same way FF internal PW system (assuming you put a master PW on it) or KeePass system works: your password info is encrypted using the master PW as a key. The major difference being LastPass stores your data on their servers as opposed to the other methods storing it locally on your system. Of course the data in both places is only as secure as the master PW protecting it.

    Ultimately, it all boils down to personal preference with where you want to keep your login data… on your system or in the cloud. Again, call me paranoid but I would rather protect this data myself as opposed to trusting it the cloud.

  9. Cambo

    However, LastPass’ encryption methods are much, much stronger than FF.

  10. Gary

    what do you mean “run” this script? where is it to be run?

  11. Jason Faulkner

    @Gary – Click the bookmarklet link (which you add to your browser bookmarks) on the respective page and the javascript will be run on it to enable autocomplete on the page where it does not allow your password to be saved.

    Depending on the browser you use, follow the respective steps provided above.

  12. Gary

    Jason thanks for the time you took to answer a stranger’s question. Very thoughtful.
    Gary

  13. David

    Surely I’m not the only person who is shocked at how easy it is to reveal my passwords in Google Chrome? Options > Personal Stuff > Passwords > Manage Saved Passwords: you can then click on each stored username to reveal the passwords – and they remain on the screen as long as you leave it open. I don’t think I want to start saving even more passwords in Chrome!

  14. Jason Faulkner

    @David – I don’t think Chrome (like IE) has the option to set a master password like FF does. For this reason, I would agree that you should be selective on any PW’s you store in their PW manager.

  15. Bob

    Are you going to post a fixed version of the bookmarklet?

  16. Bob

    never mind–I made my own bookmarklet by pasting the source into the address bar, pressing enter, then bookmarking. Tried it on Paypal, works fine, but read carefully… You must give focus to user name (put your cursor in there) and pw blank form will be autocompleted.

  17. Ding A Ling

    Are you INSANE?!

    Anything that can be written to an unencrypted file can be cracked! ANYTHING! All it takes is the willingness and time for a crook to figure out how to do the cracking.

    Therefore, I rely on extremely old tech — pen and paper. And locking up paper is what banks have relied on for hundreds of years. So why reinvent the wheel?

    Forget browser passwords. Haven’t we been burned enough with insecure software? Let alone any browsers?! And forget the idiot sites that want you to make a profile where you need to remember passwords too. These idiot sites almost always want your email but just how hard do these dummies think it is it to get an email address where you are named “God Almighty” at dipstick-dot-com or something? I mean, haven’t they even heard of 10 minute email?

    If passwords are that important and worth remembering then WRITE IT DOWN AND LOCK IT UP! Do we really need to get kicked in the wallet and have our identities stolen before we learn that COMPUTERS ARE NOT SECURE?!

    So if you’re stupid enough to let your browser remember your passwords then your deserve what is inevitable going to happen to you. You’ll get no pity from me. I’ll be the one laughing at your a$$!

  18. Roi

    @Ding A Ling
    With a good enough encryption (like the one LastPass uses) the “time” will be inconvenient for a hacker, even if his “willingness” is high. It would take hundreds of years to crack such encrypted files.

  19. Johnny

    You didn’t describe how to create bookmark link with it’s source URL:
    Please HOW ?????

  20. Senina.chung

    I often use the build-in feature autofill in Avant browser to save my account and password

  21. Jason Faulkner

    @Bob – I cannot fix the link. WordPress is “adjusting” the URL source of the bookmarklet by replacing “javascript:” with the URL of this page. This is why I updated the article to include the bookmarklet source in plain text.

    @Johnny – Here are the steps since the bookmarklet doesn’t seem to work:
    1. Drag the bookmarklet to your bookmarks toolbar or right click on the link and bookmark it (yes I know it doesn’t work, but do this step).
    2. Copy the source of the bookmarklet from the box below. This is the text in the box that starts with “javascript:”
    3. Edit the properties of the bookmark you created in step 1 and paste the text you copied from step 2 in the source URL.
    4. Save your changes and it should now work.

  22. Pop

    This is cool and all…but is there a way to change FF’s ability to save passwords, once you’ve already told it how to handle a particular site? For example, I mistakenly told it to NOT save a pw for a particular Twitter account. Now, it refuses to save that particular Twitter account – but it WILL save it for any other Twitter account on the same computer. In FF’s options-security tab, you can only delete saved PWs.

  23. Furryface

    NO WAY would I want my browser to save passwords. I do everything from the computer including all my banking. I don’t want to run the risk of having my password peeked at somehow with some Malware or whatever. I’ll just continue to type in my password on secure sites. My wife is so paranoid she won’t even let her browser remember her banking on line number and types it in every time.

  24. dan mcelroy

    Siriux XM will not let me save credentials. I applied the source code method and received the “enabled autosave on 0 objects”. Firefox is set to autosave.

  25. Jason Faulkner

    @dan mcelroy – The Sirius login page is a Flash object, so this will not work since Flash is it’s own entity which goes beyond the browser.

  26. Jason Faulkner

    @Pop – In FF, Tools > Options > Security > Passwords (section) > Exceptions (button). Remove Twitter from the exclusion list.

  27. Pop

    @Jason: I wish it was that easy. Twitter’s not on that list. For some reason FF’s saved SOME twitter account passwords, and not others. Same with facebook. Might be a weird quirk with FF 4. No biggie.

  28. AM

    Thank you.

  29. prem

    hai is that any option is there to force browser to save password without asking save password yes or no option..??

  30. Jason Faulkner

    @prem – As far as I know, every browser will prompt you whenever it detects a new password to save and there is no way to change this behavior (other than disabling PW saves).

  31. Becca P

    Hi – using IE 8.0
    1) I saved the link, got a 404 error when clicking.
    2) Replaced the URL with the script and got a message saying “The protocol Javascript does not have a registered program. Do you want to keep this target anyway?” Said Yes, saved.
    3) Clicked the link and got a message saying “enabled autocomplete on 0 objects” and took me to another 404 error page. Went back to the page and tried logging in but it didn’t save.

    Any ideas? I do have java (6.26) on my machine.

  32. Jason Faulkner

    @Becca P – See my comments above in response to Johnny. I haven’t tested this on IE8, only IE9.

  33. Becca P

    @Jason Your comments to Johnny are what I read and followed.

    When I edited the properties of the bookmark, that’s when I received the Javascript error I mentioned previously.

    The URL of the link is “javascript: … .”);})();”
    truncated here to save space – my bookmark has your whole text)

    Is there any chance that there’s some IE tools option that needs to be selected to associate Javascript with a bookmark?

  34. SRIHARI

    its not working i am using FireFox 7.0.1

  35. Mr Know-It-All

    Well after reading some of the friendly and… well, not-so-friendly banter here, I want to throw in my two cents…

    First, to the original author.. Thanks for taking the time to post this information. It’s always interesting and useful to learn the “how” and “why” of why and how things do the things they do. Of course, it then remains up the end-user to decide whether or not the risk of something is worth taking. I always believe that knowledge is better than the lack of it.

    As for LastPass… I am not familiar with this product (I had to Google it when I visited this page)… Bravo to them for being proactive and forthcoming. I agree with a previous poster who said, “Things happen… It’s when companies keep people in the dark that p*sses people off…” You’re 100% right. Like another poster though, I also dislike the idea of information being stored under someone else’s lock and key. I’m not so much paranoid as I am prudent– I do agree that highly encrypted data, coupled with good general security procedures, is inherently more secure than even some tried-and-true methods (i.e., pencil and paper), but when I don’t have 100% of the control over that data, then it is subject to someone else whims. Again, I’m not familiar with the whole DropBox thing that was mentioned above, but I don’t like the idea that at some point the government, some court, the IRS, whomever… could potentially compel anyone to hand over my private property.

    Unlike tangible property, where, as the saying goes, “Poession is 9/10ths of the law”, there is something implicitly “private” about information. What’s in my head is mine and in my head; If I write down a secret, and then later decide to shred it, it’s gone. The problem with electronic information is that, although it shares the same implicit sense of being private, (i.e., I delete my file and it’s gone; I dump something in the trash can in Hotmail and it’s gone), such is not the case. Obviously “we” (or presumably most of us anyway in this forum) understand this is not truly so, but for “the rest of us”, the notion that anything in electronic media, to say nothing of cyberspace, is never truly “gone for good”. Until that notion is common knowledge, people are always going to fall victim to the false assumption that private data is private, when in fact, it is not.

    As far as the whole thing of “secure” or “not secure”, as some have already said, your data is only as secure as the weakest link in that chain. If your master password is 12345, then don’t be too surprised when someone steals your identity. And, I’d hazard a guess that that’s your master password, then your other passwords are probably no more secure. Someone pointed out the “tried and true” mthod banks employ of locking up paper, stating that’s the best way to keep things secure. I would agree that for data that is highly sensitive, but seldom used, this tried-and-true method is probably the way to go. The problem with this approach is convenience– It’s decidedly inconvenient (and impractical in fact) for me to go dial open the safe and get out my little black book of passwords every time I need to log into something.

    I’ve had (and lost, unfortunately) this argument for YEARS in corporate IT security over the idea of password policies. In short, I think a lot of these problems of insecure passwords are exacerbated by inconsistent IT policies regarding the strength of passwords and other policies (such as forced renewals). The problem IT managers face is users who create passwords like “Password” and then use that password on every system within an organization– When a weak password like that is cracked, you’ve just given away the keys to the entire organization. Rather than combat the REAL problem (weak passwords), they foist policies on users that attempt to encourage strong passwords (i.e., must contain one letter, one special character, etc.) and then renewal policies that force users to change the passwords every so many days. The problem is that the systems don’t all share the same renewal / strength policies. As a result, people choose sets of passwords that they can easily remember, such as “Micky01″, “Mickey_Mouse01″, etc, and then just increment the number with each successive iteration. They do that because all those different policies make it impossible to create passwords that follow the BEST password policty of all, that is, “Easy for YOU to remember, hard for ANYONE ELSE to guess”. For YEARS I had the same 16-character alphanumeric password for everything… A string of letters and numbers that meant something significant to ME that noone would guess in a MILLION YEARS. Now, in my corporate environment at least, I have to have 16 different passwords, all of which have different (and sometimes incompatible) strength and renewal policies. Since they’re all now DIFFERENT, it’s nearly impossible to remember them all, which necessitates tools or procedures to store them in a manner that is convenient to retrieve them when I need them, but nto convenient for others to steal.

    So… My point of this long rant… to the peson who was criticizign people for wanting to store passwords in the first place, I agree that the user should be aware of the fact that passwords stored anywhere (on your local PC or someone else’s server) are subject to certain vulnerabilities, and to protect thos sources with the requisite level of security. Since I can’t carry my gun safe around town with me, it’s not really practical to keep them all under lock and key. I personally feel better about the security of protecting my laptop, for example, from unauthorized use, then I do about having usernames and passwords scribbled down on a piece of paper in my wallet.

    Again, thanks to the original author for posting this. I’m not really a big JavaScript person, so it’s always nice to know the little tricks of how the DOM works.. .Especially if I would author something and perhaps would not want the passwords to be auto-completed, for reasons already discussed here.

    Clink, clink…

    – Mr KIA

  36. Zac Boyles

    Dear Editor and Friends,

    To get this solution to work in Chrome was quite simple. With that said, I have only completed this using the Keychain Access application in OS X so far but I believe Windows 7 can accomplish the same thing with Credential Manager in the Control Panel.
    Note: If attempting this in Windows 7, wherever I make a reference to the Keychain Access application, simple replace that with the Credential Manager. Also, when I reference a Keychain Item, there are two different options in the Credential Manager – Add a Windows credential and Add a generic credential – you’ll obviously need to select the proper one. If you’re not sure, simply try both. I should give this a try tomorrow but I can’t make any promises.

    Step 01
    In OS X, open the Keychain Access application. Make sure the “login” Keychain is selected in the box located in the top left corner. Now press the plus button at the button to add a new Keychain Item. In the Keychain Item Name enter in the full Url – as it clearly describes in the instructions. Then for Account Name you can enter whatever the username of the site is. This can be a username which is an email address, a domain\username or whatever else you’re usually required to type in. Finally, enter the password in the Password box and click the Add button. Note: I added two of these Keychain Items, one for HTTP and the other for HTTPS just to be sure.

    Step 02
    Once you’ve added the Keychain Item, find it and open it. You should see two tabs/buttons at the top, Attributes and Access Control. Click on Access Control. You’ll notice you have the options of adding applications in the list box which will have your approval to access this saved Keychain Item. Click the plus button and navigate to Google Chrome in the Applications folder or wherever it’s installed. While you’re in here you might as well add any other browser you might wish to grant access to. I added Safari and Opera.

    Note: In a normal situation, steps 01 and 02 are done for you when you’re prompted to save a password through the browser. When using the Javascript bookmark, all Chrome seemed to do was allow the username to autocomplete once you started typing it. As for the password, it didn’t seem to be remembered. Also, I was still never prompted to save the password. This is why I decided to go ahead and complete Step 01 and Step 02.

    Step 03
    In Chrome, navigate to the site you added to your Keychain Access. Press the special Javascript bookmark, then fill out the page and login to the site. Once logged in, simply close the page and quit Chrome. From this point on I’ve been able to open the site and be automatically logged in. To be clear, I mean completely logged in without any typing or clicking submit. It appears that the moment Chrome sends a request to the site, it notices I have saved Credentials which it passes directly to the site and I’m allowed safe passage.

    Back to the Editor,
    This is so great! Thank you for your post. The site I’m using this for is something for work which I must access many times throughout the day and they have a very strict policy on it. On top of disallowing saving passwords, the idle time is set to like 5 minutes. But hey, it doesn’t seem like it matters now, at least as far as my testing has ventured so far.

    Thanks,

    Zac Boyles

  37. V Lemon

    Hi, I was never able to get neither your “Allow Password Save” Link w/the embedded JavaScript nor your source as a URL to work – just get an error “Internet Explorer cannot display the webpage” in both cases. I am ABSOLUTELY COMPUTER ILLITERATE, so please be kind w/your response to this likely dumb question…here goes: I found that when I am on the Login Page for the particular Site that will not allow me to save my password like many others will (I have it set so in my IE9 settings) I can Right Click and select “view source” to OPEN the view the Longin.html – Original Source which reflects 400 lines of script – and on line 392 in the statement …..input type=”password” autocomplete=”off”, and I thought I might cleverly be able to simply change it to on, but it will not let me alter/edit. Is there a way to do this, since I can’t get the link or source you indicated to work? Thanks

  38. Jason Faulkner

    @Zac Boyles – Thanks for taking the time to write the steps for Chrome.

    @V Lemon – see my comment to Johnny in the thread above: http://www.howtogeek.com/62980/how-to-force-your-browser-to-remember-passwords/#comment-131852

  39. V Lemon

    Jason, thanks for your response…Yes, as I had mentioned, when I followed the instructions provided to Jason, it did not work for me. Likely because I have no clue as to what I am doing… Let me ask you this…after I have created this new bookmark w/the proper URL pasted in….how do I apply it to the situation I need it applied…to a particular website? Do I go to the website’s sign in page and then click on the new bookmark? (remember, you are talking to a REAL non technical person, so I am sorry if this sounds like a dumb question). Thanks a bunch! (if it matters, I am using Windows 7 and IE9)

  40. V Lemon

    Jason, OK…it is “sort of” working for me…but I imagine not as you are intending??
    Here is what is hapenning…followed your VERY good step-by-step instructions for IE…
    It works as you advised, but every time I return to the Site, after placing the focus first in the Username box and tabbing so that the focus is in the Password Box – NOTHING happens as always, but if I then run the “Allow Password Script” bookmark AGAIN and place the focus on the Username and then tab to the Password – the Password appears then….but again, next time I come to the site….I have to do this all over again as NO password appears when I tab from Username Field….Are we suppose to have to run this each time?
    Thanks!

  41. Jason Faulkner

    @V Lemon – In my testing, IE appeared to be temperamental with altering the “autocomplete” tag via javascript. The script would work but you had to play with it a bit.

  42. V Lemon

    Jason, Well, it won’t work w/out redoing it every time, but that is ok…at least I don’t have to remember the password or look it up…I just activate the Username field and then run the bookmark and then tab to the password and it fills in…better than where I was before thanks to your offering.

  43. RS

    Hello Jason,

    This is really good info you are sharing. Contrary to some of the comments above, I would like to put it to the right use.

    I have tried this for IE ( Cannot use Firefox), Works for Paypal but does not for the site I intend to sue this for. This is an internal business objects login page which works only with in the VPN, Which I would like to save the login credentials on a shared resource, so my back fill can refresh the reports in my absence.

    Are there any tweaks I need to do?

    Thanks,
    RS

  44. RS

    Adding more detail to my last post, When I click on the book mark, I get “Enabled ‘autocomplete’ on 0 objects”.

    Thanks,

    RS

  45. Jason Faulkner

    @RS – If there are no HTML elements with the autocomplete attribute, this will not work. It is possible the site you are referring to could be using Flash/Silverlight/etc. to hold the login fields which this script cannot manipulate.

Enter Your Email Here to Get Access for Free:

Go check your email!