Random Thoughts – Randocity!

Stupid Security Measures: autocomplete=off – How To Turn Off or Disable

Posted in banking, security, technologies by commorancy on April 16, 2012

While I’m all for some browser related security, this one feature is completely asinine because it’s so unpredictable, uncontrollable and stupidly implemented. This is the complete opposite anyone should expect from a quality user experience. Let’s explore.

What is auto-completion?

Most browsers today will automatically fill forms and password fields from locally saved browser login and password information (usually the field is yellow when automatically filled). This is called autofill or autocompletion. While I admit that storing passwords inside a browser is not the smartest of ideas, specifically if it happens to be connected to your bank account. With that said, it is my choice. Let me emphasize this again loudly. Saving passwords IS MY CHOICE! Sorry for yelling, but some people just don’t listen or get this… hello Chrome, Firefox and IE, you guys (especially Chrome) need to take notes here.

So what’s this autocomplete=off business?

As a result of autocompletion, the browser creators have decided to give web site creators the ability to disable this mechanism from within their own web pages. So, when they create forms, they can add the tag “autocomplete=off” to the form which prevents the browser from storing (or offering to store) passwords or other sensitive information. This is fine if the browser would give the user the choice still. It doesn’t.

I’m fine with browsers trying to prevent stupid behavior from users, but always provide an override. Never implement features like this, however, at the expense of a frustrating and inconsistent browser experience. This is exactly what autocomplete=off does. Why? The browser doesn’t give the user control over this web page mechanism nor does it even warn of it. If the site sets this flag on their form, the browser won’t offer to store anything dealing with this form. That’s fine IF I can disable this behavior in the browser. I can’t. As I so loudly said above, this is MY choice. Make this a preference. If I want to store logins and passwords for any site on the Internet, it’s my choice. This is not Chrome’s choice or Wells Fargo’s choice or any other site’s choice. If you offer to store and save passwords, you need to let me do it under all conditions or don’t offer to do it at all. Don’t selectively do it based on some random flag that’s set without any warning to the user.

Inconsistent Browser Experience

When autocomplete=off is set on a form, there is no warning to the user that this value is set. The browser just doesn’t save the password. You have no idea why, you don’t know what’s going on. You expect the browser to offer to save and it doesn’t. This just makes the browser look broken. And, frankly, it is. If the browser can’t warn that autocomplete=off is set by the site through changing the color of the bar, flashing, an icon or some other warning mechanism (like the lock when https is in use) the user experience has been compromised and the browser is broken. This affects not only Chrome, but IE, Safari and Firefox. Yes, and this is extremely bad browser behavior. It’s also taking a step back in time before web 2.0 when the browser experience became more positive than negative. We’re heading back into negative territory here.

Browser Developers Hear Me

Not warning the user that the experience is about to change substantially is not wanted behavior. For auto-completion, we already have mechanisms to shut it off entirely. We have mechanisms to exclude sites from saving credentials. Why do we need to change the browser experience just to satisfy Wells Fargo or some other site? I’m all for letting these sites set this flag, but just like overriding bad certificates at https sites, users should be able to override autocomplete=off. There is no need to break the browser experience because you want to allow sites stop saving of passwords. No, again, hear me, it’s MY CHOICE. It’s not your choice as a developer. It’s not Wells Fargo’s choice. It’s not PayPal’s choice. It’s MY CHOICE. If I want to save passwords into my browser, allow me t0 always override this setting.

Hacks Galore

Yes, there are browser hacks available as browser extensions (Chrome or Firefox) to disable autocomplete=off on forms on sites. While these hacks work, they require updating, can break on browser updates and can be generally problematic under some conditions. No, this is an issue that firmly needs to be addressed in the core browser, not through clever browser add-on hacks. Let the sites set autocomplete=off, that’s fine. But, warn me that it’s turned on and let me override it. I shouldn’t need a hack to fix a bug in the browser.

Always Warn of Browser Experience Changes

Why am I going down on this issue so hard? Because this is a completely crappy implementation of this feature. Why? Because it breaks the user’s browsing experience without any warning. If this the page is attempting to prevent me from saving credentials, then this information should be marked clearly in the browser somewhere. Perhaps by adding a special icon to the address bar indicating that credential saving is not allowed on this site. Then, when I click that small icon, I should be able to override this behavior immediately. Again, this is my choice to store or not store passwords to the browser. There should never be any defacto security mechanisms which cannot be overridden by a user control. Never!

If the user chooses to do something stupid, that’s the user’s choice. No, it’s not a bank’s, chrome’s or any other company’s responsibility to ensure the safety of user data. It’s entirely the user’s responsibility and those choices should be completely left up to the user to decide, for better or worse.

[Update] Safari is now warning when autocomplete=off is set on a page. Safari now tells you that the site you are visiting doesn’t allow saving of passwords. Bravo to at least Apple for getting this one right.

I have also found that Firefox with the Greasemonkey plugin and this Greasemonkey script works best for completely disabling all pieces of autocomplete=off.  While the above plugins do at least allow saving passwords, the plugins don’t always allow autocomplete to work.  This means that if you want to see your credentials autopopulate into the fields on page load, you may have to use Greasemonkey instead. I have found that the Greasemonkey solution is the most complete at disabling autocomplete=off.  The reason this works is that Greasemonkey actually removes this autocomplete=off pieces from the page before Firefox renders it. The other plugins just tweak the browser to ignore the setting for password saving, but it still exists in the page source and, thus, the pieces that manage the autocomplete parts are left unhandled.  So, these pieces still don’t populate the fields.

Tagged with: , , , , , , , , , , , , , , , , , , ,

40 comments

Analyzing the bad Mass Effect 3 ending

Posted in science fiction by commorancy on April 12, 2012

So, when you next head over to Amazon, but not right now, you will find a bunch of very negative reviews of Mass Effect 3.  Apparently, there’s somewhat of a backlash going based the last 10 minutes of Mass Effect 3.  It seems, though, that most gamers including myself have found the lead up to the ending reasonably enjoyable if not overly short. As I said in my previous article on this subject, it wasn’t until the very end where it all fell apart.  So, I’m going to analyze why this ending sucked so much.  Again, spoilers ahead so stop reading now if you want to play..

My Analysis of the Backlash

When you create a multi-part game, you have to keep in mind the goal and outcome for the final character.  Players have invested substantial time into not only the story, but in building out their own character in that universe.  At the same time, the story being built needs to slowly introduce new concepts along the way so we’re not surprised at the end by something unexpected. Unexpected is what we got from Mass Effect 3.  Unfortunately too, it was the result of an Ex Deus Machina late addition to the story at the final few minutes of the game.  In fact, the character that was introduced seemed added as afterthought, but at the same time didn’t fit at all within the concept of the game.

The Citadel Entity

This character was introduced in the final 10 minutes of the game.  I’m actually fine with introducing characters, but not immortal, unkillable, omnipotent characters.  Unfortunately, this is what we got from the entity on the Citadel.  Why is this a problem?  Omnipotent characters (characters with unlimited and extraordinary powers) can almost certainly not be defeated by an ordinary human.  However, assuming that Shepard was rebuilt from both machine and man, he might have been able to overcome his human side and fulfill that destiny.  Unfortunately, though, the game designers also decided to make this character as a spirit and immortal.  How do we know he’s immortal?  He clearly explains that he has gone through this cycle multiple times in the galaxy.  That is, wiping organics out and letting them flourish back.  How do we know he’s omnipotent?  He also admitted that he’s the one who builds the reapers… from humans! Basically, he subjugates the humans into becoming reapers to do his bidding. So, unless there’s a reaper factory out there turning humans into reapers, he’s got some severely fantastical powers.

The entity also states he’s living ‘in’ the Citadel, for whatever that means.  There’s nothing that says he can’t live somewhere else, though.  So, even if the Citadel structure may be destroyed, that doesn’t mean the entity will be destroyed also.

The Real Enemy

Actually, this wasn’t even discussed and should have been.  Once Shepard reaches the Citadel and begins getting the full story from the entity, it should have been clear as glass.  The reaper threat paled next to the threat that this entity poses.  If this entity is truly at the bottom of the whole reaper invasion and if he can make them at will and do it time and time again throughout eons, then nothing that Shepard can do with the Crucible will have any effect on that entity. Basically, killing the reapers was completely and utterly futile.  The entity can wait an infinite amount of time to start his task over again.  He simply needs to wait past everyone who remembers the Shepard era, rebuild the reapers (perhaps even ironically out of Shepard, Chakwas and other crew members) and have these new reapers start the cycle over.

That the writers completely failed to see the danger that this entity poses and, worse that they failed to let Shepard recognize it is a serious lack of judgement.  Any person who is military trained would have clearly spotted the danger that this entity poses, specifically after hearing this entity’s explanation.  Of course, if this entity is truly omnipotent, he could have been playing with Shepard’s mind and making him believe and do as he wished.  So, Shepard may not have been able to control his own actions against this entity.  And that’s the number one problem with using an immortal omnipotent being in any story.

This is a total cop-out method for story closure.  It means that the writers did not have enough confidence in their own abilities to write a satisfying conclusion and instead had to rely on a ‘trick’ to pull off the end.  That ‘trick’ cost them their review status on Amazon and severely damaged this franchise’s reputation, probably permanently.  EA/Bioware will be lucky if they can salvage this franchise for any use after this.

Can this be fixed?

That’s debatable.  Possibly.  However, it will take the writers to venture again into Ex Deus Machina territory to explain off the previous ending as nothing more than a mirage, illusion, dream sequence or other type of fantasy.  The one way I can even hope to see it work at all is by using the time when Shepard goes unconscious just after the ground reaper attack, but before he crawls to the portal.  That’s the time right before meeting the omnipotent immortal entity.  This could be explained off as simply as Shepard was fished from the surface of the planet in a coma and allowed to wake up.  Basically, the entire ending was simply a coma dream.  He simply fantasized it all because he wanted it to be over.

This would allow three things.  One, it will completely get rid of the immortal omnipotent entity from the story line (a totally unnecessary Ex Deus Machina character introduced way too late and without any previous setup).  Two, it allows the writers to completely regroup and come up with an actual ending that works.  It also allows EA/Bioware to continue this entire story into Mass Effect 4.  Three, even though using a ‘dream sequence’ is about as Ex Deus Machina as you can get, it does fit with ME3’s setup just enough that it could work.  The entire game kept revolving around Shepard’s dreams of chasing a boy.  So, the boy omnipotent entity could have simply been an extension of those dreams during his coma.

The trouble is, you can’t do this setup in ME3 at all.  It has to be done in ME4.  So, this will leave the fans hanging on this bad ending quite for some time before ME4 comes into existence. So, the problem is solved and Mass Effect 4 can continue.  But, how to undo the reputation issues quickly?  EA/Bioware will need to leak details of ME4 very very soon. Specifically, a video trailer to YouTube that shows Shepard waking up from his Coma, then some short dialog about what happened and an even shorter explanation that he never made it into the Citadel that gets immediately cut off by an explosion rocking the Normandy and off to work they go.

Of course, the reapers still need to be stopped as the relays are still active.  This could also lead into a very active opening for Mass Effect 4 and would allow Shepard to jump immediately into action to stop the heavy reaper invasion already in play.  So, he can’t remain in a coma very long or the Galaxy would be consumed by the huge reaper attack. They’ll need Chakwas to find a way to snap him out of it really fast. Note that this also means that the Elusive Man is still alive.

Tagged with: , , , , , , ,

leave a comment

Bad Operating System Design Ideas Part 1

Posted in Apple, Mac OS X, windows by commorancy on November 6, 2011

Here is a new series I am putting together.  While we all need to use operating systems every day, there are lots of stupid ideas that abound on these devices that some developer thought would be ‘cool’.  Let’s explore these design ideas and why they’re stupid.  Let’s start with one company that people seem to think can do no wrong.. Apple.  Yeah, I could start with the easiest target, Windows, but I’ll save the best (er.. easiest) for last. :)

Apple isn’t immune

Spring Loaded Folders

Apple’s OS X most definitely has some quirky and, frankly, stupid design ideas that simply need to go away.  For very good reason, the first on this list is spring loaded folders. This is one design idea that breaks EVERY UI rulebook.  This functionality moves windows around under the cursor to unexpected places during, of all times, when you’re about to drop a file or folder on it.  It’s almost like some kind of bizarre practical joke. I mean, if this isn’t the absolute worst idea, I don’t know what is.  I’m not even sure what they were thinking at the time of conception, but windowing operating systems should never ever move windows or cursors automatically.  Let the user move things if they want them moved.  Worse, the idea of spring loaded folders has nothing at all to do with moving the windows around.  The spring loaded folder is supposed to open a folder when you are dragging and hovering over to the top of a folder name.  While opening a new window in the middle of holding drag-and-drop operation may seem like a great idea, it’s really obvious why this UI concept doesn’t work:  it will lead to dropping folders into the wrong place.  I don’t even want to say how many times I’ve inadvertently lost folders and files as a result of spring loaded folders. Yes, at least you can turn it off and it should be off by default.

Android isn’t immune

There is no easy way to manage running applications (at least not in 2.2) or really any other settings.  You have to dig through the ‘Settings’ area to get to Applications and then manage them from there after a few drill downs.  Same with most settings.  This is a mobile device.  These things need EASY and FAST access.  Digging through 5 menus to get to the Bluetooth area is both wasteful and dangerous while driving.  Let’s get these things front and center with one click.

IOS isn’t immune

Dragging icons from screen to screen to move them is near impossible.  Most times it drops onto the current screen at the edge.  You then have to pick it up and drag it again.  It would be far simpler to show a representation of all of the screens at once and then drop it onto the screen you want it on.  You can then put it in the exact location later.

Windows isn’t immune (but who said it was?)

When you’re hovering over a scrollable area of an Explorer window, you have to click to activate before you can scroll.  The trouble is, there is no empty place to click that doesn’t activate something.  If you’re hovering over the folder area, whatever you click on will activate.  If you’re in the files area, the same thing.  This is magnified when the Explorer window also happens to be a file requester.  So, you’re trying to scroll to the bottom of the files area.  If you click anywhere in the files area, it will fill in the filename with the file you have just clicked.  Annoying.  I don’t know why Windows can’t just realize the mouse pointer is over that area and activate at least the scrolling part.  There really should be no click necessary.

Why Windows can’t remember my folder settings in Windows 7, I have no idea.  Getting rid of the Quick Launch bar, bad idea.  Turning the ‘Start’ button into the ‘Windows’ button, stupid (at least from a support perspective).  Can we at least keep some consistency from one OS to the next?

These are my initial pet peeves.  There are tons more that have yet to be documented.  I will highlight these in part two of this series.

Enjoy (and comment if you have peeves of your own).

Tagged with: , , , , ,

leave a comment