@mattab
The goal of this issue is to create a new config file setting to enable autocomplete=off on all password fields in Piwik.
Steps
- New config setting
- Applies to Login form, Password reset form, and other password field in Manage users admin screen
Reasoning behind the request:
In february this year someone made the suggestion in PR #231 and I decided to not put it in Piwik core as there seems to be a lot of people arguing against this measure as it breaks the usability of password managers. For more info on the pros/cons see: https://startpage.com/do/search?q=autocomplete%3Doff%20security
However because some users like this setting and because it does provide better security in some cases such as a Piwik accessible to dozens of people, then we should simply add such a useful setting.
@narion
Is there any update on this features addition?
@sgiehl
That isn't anything we will work on soon. But Pull Requests are always welcome 🙂
@christophs78
Our security folks think we need to set autocomplete=off. Currently we have to modify the matomo-installation after each update manually. We would really appreciate a config-setting for this.
@Findus23
Hoenestly this doesn't matter anymore. Website developers have abused autocomplete="off" to break password managers so that most browsers started to side with the users and are ignoring it now.
We meanwhile have a autocomplete=off on all password fields and there shouldn't be any sense in having a config to remove that.