Prepopulate Username and Password in Login screen
I have designed a standard login screen in ASP.NET like below:
As usual when operator selects “Remember me”, we expect system to not ask operator for credentials anymore and go directly to default (home) page. My business team saw something on internet and they believe that when “Remember me” has been selected we need to pre populate the username and password and wait for customer to press “LOG IN” button:
I haven’t seen this practice so often and I am not very comfortable to do it. Although, I don’t have a good technical argument to explain and change their mind.
I am basically looking for good argument to explain cons and pros of above scenario.
Never ever should you pre-populate a passwords edit field. If you do so, everybody is able to read the plain-text password, if he can open the login form on this computer. A few minutes on an unlocked office computer would be enough to check the browser history, afterwards the attacker can login whenever and whereever he wants.
If you have a remember me function, and the user has logged in using this function, then there is no need to display the login form at all. You can just display the content. In this case, an attacker can do things with the account, but he cannot login unnoticed later from somwhere else.
I think (hope) you saw the pre-populated password field, because the browser filled in the content, and not the website did it. Maybe there is a password manager installed.
- 404 page not found when running firebase deploy
- .NET 8 Blazor Server - role authorization with Windows Authentication
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- Symfony2: How to change Entity Manager just before doing login_check
- JWT signature verification failing
- SMAppService register() - How to detect launch at startup/login vs regular launch?
- AppwriteException: User (role: guest) missing scope (account), not able to get account after creating a session
- authMiddleware doesn't exist after installing clerk
- Stop request in CookieAuthenticationEvents.OnValidatePrincipal after response body has been written to
- Blazor Hosted WebAssembly with Keycloak and Basic Authentication Issue
- How to change the app name for Firebase authentication (what the user sees)
- How do I restrict Apache/SVN access to specific users (LDAP/file-based authentication)?
- Unexpected authorization behaviour in a Blazor Web App with .NET 8
- MongoDB: Understand createUser and db admin
- Update react context without refreshing page on state update
- What is the standard/modern way to use CAC/PIV card authentication in Java/Tomcat web applications?
- Keycloak retrieve custom attributes to KeycloakPrincipal
- Secure Google Cloud Functions http trigger with auth
- Cannot authenticate in fresh installed Laravel 11 with MySQL/MariaDB
- authentication with only username (id) in laravel
- Having problem Authorizing Authenticated user account in Web API
- What is the purpose of a "Refresh Token"?
- AuthenticationHandler's ChallengeAsync does not contain the failures
- What to validate 'iat' and 'sub' claims of a JWT against?
- Custom authentication provider in silex application
- login and logout in several laravel projects
- ProviderSettings class not found it says Cannot resolve symbol ProviderSettings
- Azure Devops pipeline, git authentication only works with -c http.extraheader
- Difference between frontend user authetication and backend user authentication
- How to get the popup menu to select user certificate in Tomcat 10 server?