News

Microsoft Changes IE 11 Password Handling on Windows 8.1

• By Kurt Mackie
• 06/25/2014

Microsoft changed how Internet Explorer 11 handles password information on forms with the aim of giving users more control.

The change applies to how the Autocomplete function works when a user accesses a forms page. IE 11 will now prompt a user to save their password for a given site even if the attribute for login forms is set to "autocomplete=off," according to Microsoft's announcement this week.

The announcement referenced only Windows 8, Windows 8.1 or Windows Phone 8.1 operating systems. Presumably, the password and Autocomplete forms changes don't take effect for users of IE 11 on Windows 7 machines.

Giving Users Control
This change in how Autocomplete works was made to avoid confusing users who may be puzzled why their passwords are recalled on one site but not another. Microsoft contends that users should have the control over saving passwords for sites and devices.

Users can manage the passwords they use for Web sites in Windows 8 via the Credential Manager, which is located in the Control Panel on the Desktop side of the operating system. Windows 8.1 users can do the same thing via Internet Options, located on the Windows Store Apps ("Metro") side of that OS.

Users can block this new password-handling functionality in IE 11, if they wish. A user who has taken the initiative to disable Autocomplete for user names and passwords on forms in IE 11's settings will not get prompted to save passwords, according to Louis Martinez of Microsoft, who answered some readers' questions in Microsoft's announcement.

Amy Adams, senior program manager for Internet Explorer, indicated that other browsers, such as Safari, Opera and Chrome, will also save passwords when the forms attribute is set to "autocomplete=off."

"In general this is a direction the browsers are moving towards as users need to have control over saving and managing their credentials for any site," she explained.

Prepopulated Forms
Another change for Windows 8.1 and Windows Phone 8.1 users of IE 11 is that form fields will get prepopulated with credentials information automatically. This approach avoids the previously more clunky approach in which users have to click into each field to populate it. Microsoft said the latter approach was problematic on touch-screen devices. However, Microsoft puts some restrictions on the prepopulation behavior of IE 11 for Web developers to note, as described by Martinez:

• The site must be an SSL site.
• The site certificate must be valid and the page must not have mixed SSL and non-SSL content.
• The login form must not be in a frame.
• The tab must not be in inPrivate mode
• The user must have exactly one credential stored for the site (If two or more credentials are stored for the same site, we won't auto-populate, as we wouldn't know which user is currently using the machine)

Martinez contended that those restrictions are aimed at preventing malicious Web sites from harvesting users' credentials information.

Credentials Recall
Microsoft also announced that IE 11 on Windows 8.1 and Windows Phone 8.1 will recall a user's credentials saved for an app across that app's domain. It's designed to speed up the sign-in experience across apps and devices.

IE 11-stored credentials now can be roamed, too. If they are stored for a Windows 8.1 device, they can roam to other Windows 8.1 devices, or even to Windows Phone 8.1 devices.

Microsoft offered some tips for developers to make the new IE 11 functionality work. According to Microsoft, login forms must meet the following criteria:

• Contain both a username and password to login to a service
• Username and password fields are encapsulated in the HTML5 form element
• Uses HTML5 standard input types for username field that accept free-form user input
• Uses HTML5 password input type is used for the password field
• DOM Level 2 submit event is fired upon submission of the form and credentials are not cleared before the submit event is fired