Make WordPress Core

Opened 6 weeks ago

Last modified 6 weeks ago

#61155 new defect (bug)

Maximise compatibility with password managers when resetting password

Reported by: johnbillion's profile johnbillion Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords:
Focuses: Cc:

Description

When I reset my password via the "Lost your password?" link on the login screen, my password manager doesn't prompt me to update my existing login credentials for that site. It's a really easy way to lose your new password.

Tested with:

  • 1Password in Chrome on macOS
  • Firefox built-in password manager on macOS

At a minimum, WordPress should work with the most popular password managers, including 1Password, LastPass, and the password managers built into Chromium-based browsers and Firefox, on desktop and mobile.

  • What can WordPress do to maximise compatibility with password managers when resetting a password?
  • Are there additional HTML attributes or hidden fields that should be implemented into the password reset process?
  • Is the automatically generated password part of the problem?

Change History (3)

#1 @johnbillion
6 weeks ago

From the 1Password developer documentation:

On password reset and "forgot password" forms, include the username for the password that is being reset. This helps 1Password determine which item to update with the new password.

#2 @swissspidy
6 weeks ago

There's also the autocomplete="new-password" attribute that could potentially be used, see https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete#values

#3 @JavierCasares
6 weeks ago

Yes, the “new-password” should be the way… probably changing that in the form at the user page will be a good first step.

More links for context:

Note: See TracTickets for help on using tickets.