Closed Bug 93776 Opened 23 years ago Closed 22 years ago

yahoo.com - Several sites, notably yahoo mail, opt out of using password manager

Categories

(Tech Evangelism Graveyard :: English US, defect)

Product:
Tech Evangelism Graveyard
Component:
English US
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED WONTFIX

People

(Reporter: nicolasbock, Assigned: susiew)

References

(
URL
)

Details

(Keywords: helpwanted)

Attachments

(2 files)

Hack to re-enable the autocomplete ^_~
1.45 KB, text/plain
Details
On Password Manager
2.73 KB, text/plain
Details 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010802
BuildID:    2001080221

The password manager doesn't offer to store login information for my yahoo mail
account.

Reproducible: Always
Steps to Reproduce:
1.go to http://mail.yahoo.com/
2.log on
3.repeat

Actual Results:  Nothing happens, i.e. the password manager doesn't offer to
store the login information.

Expected Results:  The password manager should open a dialog, offering to store
the login information.
over to password manager.
Assignee: ssaux → morse
Component: Client Library → Password Manager
Product: PSM → Browser
QA Contact: ckritzer → tpreston
Version: 1.01 → other
That's because yahoo has opted out of using the password manager.
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID
Verified
Status: RESOLVED → VERIFIED
*** Bug 111603 has been marked as a duplicate of this bug. ***
Modifying summary: "mamanger" -> "manager"
Summary: password mamanger doesn't offer to store password for yahoo mail → password manager doesn't offer to store password for yahoo mail
Is there anything that we can do to convince Yahoo! to use the password manager?
*** Bug 111634 has been marked as a duplicate of this bug. ***
*** Bug 82956 has been marked as a duplicate of this bug. ***
*** Bug 90013 has been marked as a duplicate of this bug. ***
*** Bug 110008 has been marked as a duplicate of this bug. ***
Forest Taylor: Is there anything that we can do to convince Yahoo! to use the 
password manager?

Yes.  Open a separate bug and assign it to evangelism.  The opt-out feature was 
added to satisfy the strong demands of the financial community.  But there is 
absolutely no reason that yahoo mail should consider itself in that category and  
chose to opt out.  See all the dups of this bug and you'll realize how many 
people are agreeing with me.
*** Bug 114468 has been marked as a duplicate of this bug. ***
*** Bug 115809 has been marked as a duplicate of this bug. ***
Hm, this will fix your problems :)
"The opt-out feature was added to satisfy the strong demands of the financial
community."

Why do we have this button 'Never for this site', if you can't use it? Are we,
mozilla and netscape users, really that stupid? The financial community can go
to hell with their demands. Power to the people :)
The correct way to do this is to look in extensions/wallet/src/wallet.cpp and 
search for the sections of code that are bracked by #ifdef 
WALLET_DONT_CACHE_ALL_PASSWORDS.  Rewrite that to be conditional code based on a 
pref setting.

Only problem is whether or not the financial institutions pull the plug on the 
mozilla/netscape6 browser if we do that.
*** Bug 101048 has been marked as a duplicate of this bug. ***
*** Bug 118688 has been marked as a duplicate of this bug. ***
Reopening and moving to evangelism.  We should at least let Yahoo know how many 
Mozilla users reported this bug to us.
Status: VERIFIED → UNCONFIRMED
Resolution: INVALID → ---
-> tech evangelism
Assignee: morse → doronr
Status: UNCONFIRMED → NEW
Component: Password Manager → US General
Ever confirmed: true
OS: Linux → All
Product: Browser → Tech Evangelism
QA Contact: tpreston → zach
Hardware: PC → All
Summary: password manager doesn't offer to store password for yahoo mail → yahoo mail login form tells password manager not to offer to remember passwords
Version: other → unspecified
*** Bug 120512 has been marked as a duplicate of this bug. ***
Most but not all the dups of this bug have to do with yahoo mail (see 101048 and 
120512 for example and there are a few others).  Therefore changing summary from

   yahoo mail login form tells password manager not to offer to remember pwds

to

   Several sites, notably yahoo mail, opt out of using password manager

It's true that most of the other sites are financial institutions and they have 
good reason (at least in their opinion) of opting out.  So there's nothing much 
evangelism can do there.  But sites like yahoo mail have no justification for 
opting out and these are the sites that evangelism should focus on.
Summary: yahoo mail login form tells password manager not to offer to remember passwords → Several sites, notably yahoo mail, opt out of using password manager
Blocks: 121228
this is not in the scope of the evangelism effort. They are using the available
features of the browser. If you as a customer do not like that, please complain
or use another service.

doron, i say mark it invalid.
Summary: Several sites, notably yahoo mail, opt out of using password manager → yahoo.com - Several sites, notably yahoo mail, opt out of using password manager
Anyone want to do this? We have more important bugs out there, but if someone
wants to take this and contact yahoo, that person can take the bug. Otherwise,
invalid
Keywords: evang500
*** Bug 124829 has been marked as a duplicate of this bug. ***
IMO users should have to have a way to force the use of the password manager,
despite everything the site says.
I agree that the user should have the choice, even if it's not a default and 
activated by a hidden pref. A browser is a *client* application, and banks 
shouldn't be able to blackmail Mozilla into inconveniencing users who wish to 
make a choice - after all, users could walk around with their password details 
printed on their T-shirts if they really wanted to, so why aren't we allowed to 
instruct our browsers to memorise things for us?

If it's difficult to activate (e.g. hidden pref / lots of warning dialog boxes), 
then it can only be done by someone conscious of the risks, hence there can be 
no *reasonable* case for anyone to block the browser.
There are two separate issues here so let's not confuse them.

One is whether the user should have access to a hidden pref to override a 
financial website which has a bonafide reason for wanting to opt out of password 
manager.  That is the topic of bug 124065.  See also bug 63961 which created the 
ability for a site to opt out in the first place.

The other issue is specifically about yahoo.mail, and whether it should be using 
this opt-out mechanism that was designed for financial institutions.  That is 
the issue in this bug report.  IMO, the answer is that they should not be and 
that an evangelist will need to get them to see the error of their ways.

Please keep discussion in this bug focused on the second issue only, since there 
are other bug reports specifically for the first.
as I am not very mistaken, you can use the financial section of Yahoo with the
same userID and password of the mail section.
Even more if you sign into mail, you need not sign in for financial again -> the
same cookie is used.

Whether the yahoo financial section justifies to use a "bank opt-out" is IMHO
another point.
Christian: If by "the financial section of Yahoo" you mean PayDirect, it
requires an extra password in addition to your Yahoo ID and password.  It makes
sense for PayDirect to require this extra password, because users aren't as
careful with webmail passwords as they are with financial passwords.  PayDirect
only asks you to enter the extra password once you have logged into Yahoo *and*
established an https connection to Paydirect.  The form that asks you for the
extra password correctly uses autocomplete=off.
*** Bug 134789 has been marked as a duplicate of this bug. ***
Jesse: I believe Christian meant finance.yahoo.com and the umbrella of other
domains under it (banking.yahoo.com, loans.yahoo.com, insurance.yahoo.com,
taxes.yahoo.com, etc.) which includes function for tracking nearly every piece
of personal financial information you could dream up, including 401K, credit
cards, stocks and bonds, taxes and more. All of this is "protected" behind a
common login page hosted off of login.yahoo.com, which also happenes to be the
common login of mail.yahoo.com. This of course brings up the irony of the fact
that on a page where they prohibit us from saving userid/password in PSM, they
offer a checkbox to have them leave a cookie and remember your login.
*** Bug 137471 has been marked as a duplicate of this bug. ***
Keywords: evang500helpwanted
*** Bug 139920 has been marked as a duplicate of this bug. ***
I had contacted yahoo regarding using the autocomplete=off in their login form
long before mozilla supported the autocomplete attribute. They never replied back.

Also, I tried the hack that is mentioned, but the password manager doesn't kick
in the first time when I visit http://mail.yahoo.com, it only appears when I
signin and then signout and then try to sign in. Think it has something to do
with the way the current URL and the form submission URL. The first time I visit
Yahoo mail, the location bar is http://mail.yahoo.com, while if I login and
logout and go to the sign in page, the location bar is at
http://login.yahoo.com. The form submits to https://login.yahoo.com.
Tushar: could you try again? and tell them how many people ask for that?
It seem that Neil forgot to inform you about one little trick, javascript should
be disabled the first time only! 

1 - disable javascript for navigator (Menu/Edit/Preferences/Advanched/Script &
Windo...
2 - now, visit http://mail.yahoo.com
3 - type your name and password here (password dialog will be displayed)
4 - re-enable javascript for navigator

Now, your worries are over. I should know, because I'm the person who developed
this little hack for MultiZilla, and it still works ;)
you know, i'm sure that doubleclick would be unhappy to know that i blocked all
images from their site.  i'm also sure that a lot of people would be unhappy to
know that my cookies are killed whenever i close the browser.

these options are still available in mozilla.
i see no reason why i shouldnt be able to force mozilla to remember the password
for a specific page.  if yahoo wants to make their default to not-remember,
fine.  but it is my computer, i want to be able to override it.
*** Bug 143074 has been marked as a duplicate of this bug. ***
My Yahoo login password is saved in my password manager. Is this a legacy from
before Yahoo opted out?
Assignee: doron → susiew
Or more likely a legacy from before we added the code to mozilla that 
recognized the fact that yahoo was requesting to opt out.
*** Bug 144736 has been marked as a duplicate of this bug. ***
Yahoo responded that they disabled this feature due to security concerns. (Well,
at least you can have them remember your id on the server).

Marking won't fix.
Status: NEW → RESOLVED
Closed: 23 years ago22 years ago
Resolution: --- → WONTFIX
v
Status: RESOLVED → VERIFIED
i can't believe that i can't override yahoo (and other such sites) on my own
computer.  this is ridiculous.
As I've said in comment #26, there should be a way of *manually* forcing a
password to be saved. I guess that banks have problems with the automatic
activation of the pw manager. I'm talking of a context menu.. like.. "force the
use of password manager to store this password". And there could be a warning
"This site has requested the password to be handled with special care. Are you
sure you want to store the password in the pw?" Would this be acceptable?

So there should be a new bug. I've filed it and it's bug 145797.
*** Bug 146551 has been marked as a duplicate of this bug. ***
*** Bug 148230 has been marked as a duplicate of this bug. ***
*** Bug 148437 has been marked as a duplicate of this bug. ***
To make Mozilla remember your Yahoo Mail password, drag the remember password
bookmarklet to your personal toolbar, and click the bookmarklet after entering
your Yahoo password but before clicking the Sign In button.  You can get the
remember password bookmarklet from
http://www.squarefree.com/bookmarklets/pagelinks.html#remember_password.
Why not let the USER rather than the site opt out! It's my browser and my
password - I want to decide!
Rob Hill, see bug 63961 comment 1 in which I said exactly what you just said.  
Problem is that the browser would be blocked by all financial institutions if we 
didn't allow the sites to opt out.


IMHO think that Yahoo has more against mozilla because it allows blocking of
images (not by default, mind you)

This is simply a feature that is being abused by sites (UserAgent, anybody?).
Therefore the user must be given the option to disable it.

Anyway, would you work against the workaround from comment #52 ?
Yahoo is a the beta process to make a new webmail interface... in the FAQ the
have a link to a feadback form, http://add.yahoo.com/fast/help/us/mail/cgi_beta
it might be one way for everyone to contact yahoo and ask for them not turn off
password manager.
If you don't want to be bothered with patching/compiling Mozilla, you can use a
text editor to manually store your username/password in your .mozilla/??/??/??.s
file for these sites.  Consider two web sites: "A.com" allows password saving,
"B.com" doesn't.  Go to "A.com" and type in your name/password of "B.com".  Then
go edit your ???.s file and where it says:

B.com
UserName
~oaisjdfoaisjdf
*password
~oiajsdfoij
.

change it to:
A.com
site_A_username_field_name
~oaisjdfoaisjdf
*site_A_password_field_name
~oiajsdfoij
.

Or you can go look up the "obscuring" algorithm used in Mozilla and write a
little utility to manage this password file.
I got the site names backwards in the last post, but you get the idea.
This is certainly not for the masses, but I'll comment on it anyhow.  It will 
work only if both forms have the same labels for the fields.  So you might want 
to accomplish this by first making a copy of the offending site and changing the 
html to not block the autofill.  Then you would do as you discribed.
*** Bug 155981 has been marked as a duplicate of this bug. ***
*** Bug 156458 has been marked as a duplicate of this bug. ***
*** Bug 162399 has been marked as a duplicate of this bug. ***
*** Bug 162989 has been marked as a duplicate of this bug. ***
*** Bug 165102 has been marked as a duplicate of this bug. ***
I recently filed bug #165102 and got pointed here (sorry my search didn't find
this thread). Although I don't like the financial community's attitude, at least
now I understand what's going on.

Shouldn't Mozilla at least put up a message something like "This site has
forbidden the use of stored passwords?". That would at least inform the user as
to what's going on, and would have prevented me from filing a duplicate bug.
Isaac Wingfield says: "Shouldn't Mozilla at least put up a message something
like "This site has forbidden the use of stored passwords?". That would at least
inform the user as to what's going on, and would have prevented me from filing a
duplicate bug."

I think that is an excellent idea.
Please open another bug with your enhancement request. 
The wording needs to not confuse the user, if the site offers server-side
password saving.
*** Bug 167731 has been marked as a duplicate of this bug. ***
*** Bug 168970 has been marked as a duplicate of this bug. ***
I use Mozilla as my primary browser but I also use Gator with Netscape to manage
some of my userids/passwords to log onto financial websites. What is different
about what they do that allows them to remember userid/passwords for financial
sites that password manager won't or can't do.
They don't observer the "autocomplete=no" attribute.
END USERS should ALWAYS have the option of overriding this on their own
computer. there should be a, override-override in place as a preference. Go
ahead and make it off by default, but if a user lives alone and has a passworded
computer, there is no need for more passwords.
*** Bug 205100 has been marked as a duplicate of this bug. ***
Autocomplete works for hotmail accounts in the next update of MultiZilla.mozdev.org
How about bankofamerica.com, or checkfree.com, or all the credit card sites? 
I'm not sure about the "all the credit card sites" comment as Citibank,
DiscoverCard and MBNA all allow password manager to save the username and password.
Actually, Discovercard is the only one in your list that allows remembering
passwords. Citibank and MBNA do not, and after checking, they both have the
AUTOCOMPLETE="off" tag in their forms. Many others do to:

My list of ones that I know don't allow it are as follows:

Bank Of America (Banking)
Bank Of America (VISA)
MBNA Mastercard
American Express
Homecomings Financial (Home Loans)
The Vanguard Group (IRA Accounts)
CheckFree (Online Bill Paying)


Interesting, as it works for me when I go to citibank. Maybe I got my signon
info saved before Mozilla started honouring AUTOCOMPLETE="OFF". I can't check at
the moment as my main computer is on a ship in the Pacific Ocean somewhere.
I'd appreciate it if you would open a new bug under another component or use
another forum to have this discussion. Thanks.
Creating another bug will, of course, be duped to this one.

Also, does anyone know which standard AUTOCOMPLETE came from?
Other components don't have this problem though, so opening a new subject would
be counter-productive. This is the appropriate place to deiscuss the opt-out
feature because the bug is clearly reported as "Several sites, NOTABLY yahoo
mail..."
I believe we are discussing the "several sites" referred to in the original
post. Apparently, several people, including myself, feel that this issue should
not be closed.
*** Bug 206842 has been marked as a duplicate of this bug. ***
*** Bug 207147 has been marked as a duplicate of this bug. ***
Mozilla bending over and taking it over this autocomplete thing is the bug.  It
better solution is to work with these institutions to make password manager
better.  That's a politics thing so I'll leave that to others.

This bug is really about yahoo abusing the diable feature.  Yahoo is clearly in
the wrong here.  So they should be disabled in mozilla which will force them to
fix their web site so that another password is needed for the "financial" areas
of their site (where autocomplete can be off) and they reenable auto complete
for the rest.

This is can be achieved through two lists.  One is a built in ACO abuser list
that ignores autocomplete=off requests.  To be fair the list should be
downloaded and cached every so often rather than built in so that when sites do
comply they can be can removed from the list and old versions of mozilla won't
then block the site.

A web site may respond by blocking mozilla through the client ID string so it's
time mozilla implemented a similar list for sites that abuse this ID feature.  A
client ID string manager.  First an auto downloaded list like above with the
most approprite ID string available for the list of abusing sites.  The user can
override specific site behavior through a custom site list that takes presidence
over the automatic list.

*** Bug 224664 has been marked as a duplicate of this bug. ***
As a new Firebird user and an older My.Yahoo and Yahoo Mail user, I support
Mozilla's cooperation with Yahoo's and the financial sites' requirements,
aggravating and obnoxious though they be. We Yahoo users can try to pressure
Yahoo on this matter and threaten to take our business elsewhere if we dislike
the inconvenience entailed by their rejection of autocomplete. If Mozilla takes
any steps to change the browser to bypass Yahoo's refusal, I can just imagine
Yahoo thinking, "Screw them! How many people use their browser anyway?" There
are already too many sites that don't bother to work right with anything but IE.
Let Mozilla make nice with Yahoo and the financial sites, and let Mozilla users
pressure the sites to cooperate with us.
Attached file On Password Manager 

    
    

    
  
*** Bug 166656 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 168423 has been marked as a duplicate of this bug. ***

    
    

    
  
What's wrong with RoboForm?  As I understand it there will always be some who
will 'opt out'  (banks, etc.).  What's the point of fighting a battle you can't
win (100% anyway)?  Apparently they (the 'opt outers')have no control over third
party sortware.  Robo works perfect for me, and as far as I'm concerned, IT IS
part of Mozilla.  (Basic program is freeware by the way)



    
    

    
  
This is related to http://bugzilla.mozilla.org/show_bug.cgi?id=245779


I have tried the user_pref("wallet.crypto.autocompleteoverride", true); three
different bookmarklets and enable auto completion in the Web Developer extension.

The setting made no difference at all, the bookmarklets and WD did, at best,
work partially:

If you opened the frame at ikanobanken.se in a new window and entered the login
data I was asked if I wanted PW-manager to remember the password but the data
was still not entered in the form, neither on the main page or the frame.

At banco.se there was no difference at all.

You can try it yourself at https://secure.ikanobanken.se/min_ikanobank/ (either
this page or the frame with the form in)

Enter any 10 digit number (e.g., 1234567890) in the first field and any four
digits (e.g., 1234) in the second field and hit enter.


If you have the regular page open nothing happens when you hit enter.

If you have the 'form frame' open on its own and has either via bookmarklets or
WD activaed auto completetion PW manager will ask you if you want to save the
form data.

However, next time you load either the main page or just the frame nothing is
autocompleted.


This is Firefox 0.9/Mac OS X

    
    

    
  
*** Bug 259992 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 265818 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 268978 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 280790 has been marked as a duplicate of this bug. ***

    
    

    
  
like db in comment 91, i've tried setting wallet.crypto.autocompleteoverride to
true and i've tried jesse's "remember password" bookmarklet from
http://www.squarefree.com/bookmarklets/forms.html#remember_password .  i tried
the disable javascript hack.  still no dice with mail.yahoo.com... why is yahoo
able to dictate this behavior?

i've been testing all this on firefox 1.0.1 on XP.

    
    

    
  
I've switched to a Mac since my last post. In addition to having this bug, Yahoo has become so slow and 
tedious to use that it's not worth it. I'm giving up on Yahoo altogether.

    
    

    
  
There's another issue here. Some sites' passwords won't save even though there's
no autocomplete="off" in the code.

This is because they use JavaScript to generate a SHA-1 hash of the password
(with salt added) client-side and store that in a seperate form field prior to
submission. They also blank the real password field to prevent the cleartext
password being sent.

Because the password field is blanked and Password Manager must not check until
after onsubmit="" is called, Password Manager doesn't offer to remember the
password.

You can observe this at http://album.co.nz/ and also at banking site
http://www.kiwibank.co.nz/

    
    

    
  
The Kiwibank problem was reported in Bug #208857

(In reply to comment #98)

> You can observe this at http://album.co.nz/ and also at banking site
> http://www.kiwibank.co.nz/



    
    

    
  
*** Bug 292828 has been marked as a duplicate of this bug. ***

    
    

    
  
another option i tried is the "Allow Password Remembering" grease monkey user
script available from the 4/10/05 post at
http://blog.monstuff.com/archives/cat_greasemonkey.html .  in theory, it should
behave the same way as setting wallet.crypto.autocompleteoverride to true.  as
expected, this still doesn't work with mail.yahoo.com :(

does anyone have a solution for mail.yahoo.com?

    
    

    
  
Adding self to CC list.

(In reply to comment #16)
> The correct way to do this is to look in extensions/wallet/src/wallet.cpp and 
> search for the sections of code that are bracked by #ifdef 
> WALLET_DONT_CACHE_ALL_PASSWORDS.  Rewrite that to be conditional code based on a 
> pref setting.

Is this an instructions for end-users who can tweak something within their
profile or install directory or instruction for coders? Please explain.

    
    

    
  
(In reply to comment #102)
> Is this an instructions for end-users who can tweak something within their
> profile or install directory or instruction for coders? Please explain.

That's an implementation suggestion for developers, not something the average
end user would be doing. It would require changing the source code to mozilla
and rebuilding the browser.

    
    

    
  
The same behaviour as described in comment #98 I find at
http://www.friendscout24.de/

With javascript, they somehow manage to blank out the password. But how do they
differentiate between the password a user typed in and one password manager
types in?


    
    

    
  
What about suggesting to Yahoo! that they create another login page which does
not use AUTOCOMPLETE="off"?

If they didn't advertise that alternate login page, but instead just made it
quietly available to only those of us clamoring for it and persistent enough to
locate it -- wouldn't that solve the problem for everyone?

Yahoo! currently has "standard" and "secure" login pages.  I'm just talking
about exact duplicates of those pages without the AUTOCOMPLETE tag.  This is as
close as it gets to being zero effort for Yahoo! to address.

I'd suggest this to Yahoo! myself, but it's clear from reading all the comments
here that others have better connections that I do.  OTOH, if this is a good
idea, let's all suggest this to them en masse.

    
    

    
  
*** Bug 329298 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 345615 has been marked as a duplicate of this bug. ***

    
    

    
  
Here is a way to add blocked sites without adding any extensions or scripts to Firefox: 
http://dotancohen.com/howto/firefox_password_manager.php

Tested on Yahoo, Wachovia, Fabulous. (disclaimer: it is my site, I wrote it)

    
    

    
  
Maybe I'm dense but I don't see what autocomplete has to do with not recognizing cookies. If I go to www.netflix.com the first thing it tells me is my cookies are not enabled. I know this is wrong because my cookies have always been enabled and the problem started around Firefox 3.0.x when I had changed nothing. I suppose this duplicates some bug but I haven't a clue what it might be.

    
    

    
  
It doesn't.  longsonr got confused by the summary of bug 509531.  I reopened it for you and gave it a slightly better summary.
Product: Tech Evangelism → Tech Evangelism Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: