British Gas has acknowledged pressure coming from the cyber-security profession and agreed to take another look at its policy toward password managers.
The gas supplier came under severe criticism on Twitter for announcing, without apology, that it doesn't want its customers to use password managers when logging into its customer site. It implemented the policy by placing the onpaste='return false' attribute in its web code.
No explanation has been given for this decision apart from a statement that “as a business, we've chosen not to have the compatibility with password managers”.
Now, in an email statement to SCMagazineUK.com, the company has stated: “We're always open to listening to views on subjects like digital security, which is of paramount importance to us. Based on the feedback we're going to take another look at our approach to password managers. We'll let you know what we decide.”
The controversy started when British Gas customer Ben Woodward tweeted British Gas to ask them to modify their web page to allow password managers to work.
@Sacro Hi Ben, I understand but as a business we've chosen not to have the compatibility with password managers. Thanks, Joe— British Gas Help (@BritishGasHelp) July 14, 2015
The onpaste='return false' attribute can be disabled in many browsers, as detailed here: http://the-hug.org/opus2197.html.
Security experts described the British Gas policy as bizarre and inexplicable. The crux of the matter for the security community is that by blocking the use of password manager, British Gas is discouraging customers from using strong passwords.
There have been more than 100 replies to British Gas from customers and security experts ridiculing the company and urging them to reconsider their decision.
Security commentator Graham Cluley said simply, “that's a very poor decision. Please reconsider.”
Blocking password manager is an issue that has arisen with other websites including Yahoo and various banking sites.
In Firefox, an attribute “autocomplete='off'” can be added to a page which prevents users from automatically filling in already saved data for forms and fields that have the attribute and also blocks saving new data from those forms and fields if they have the attribute.
Gavin Sharp, writing on Mozilla's Bugzilla forum, said, “This behavior is a concession to sites that think password managers are harmful and thus want to prevent them from being effective. In aggregate, I think those sites are generally wrong, and shouldn't have that much control over our behavior.”
In January 2014, he recommended removing support for autocomplete=off, at least as it related to saving passwords.
This issue also popped up in a discussion on the w3.org forum in December 2013. Joel Weinberger wrote that he wanted to ignore autocomplete=off for password fields. “We believe that the current respect for autocomplete='off' for passwords is, in fact, harming the security of users by making browser password managers significantly less useful than they should be, thus discouraging their adoption, making it difficult for users to generate, store, and use more complex or (preferably) random passwords. Additionally, the added benefit of autocomplete='off' for security is questionable at best.”
In a reply to the post, another user, “Maciej”, noted that Safari already supported this.
An in January 2014, Adrian Bateman – with an email address which identified him as Microsoft staff – said that in Internet Explorer 11, the company had decided to stop supporting autocomplete=off when the input type was password <input type=password>. “We haven't heard any significant negative feedback so far [from website owners],” he said.