Websites Intentionally Disabling Password Managers

It wasn’t just me.  The folks at Wired have noticed that some web sites are not really very password manager friendly.

I travel fairly often.  Lots of that travel is for work but I do get around on personal business and to get away.  One of my go to sites for travel is Hilton dot com.  I’ve been a Hilton customer for a long time.  I like their hotels.  I think they treat me well where ever I go.  This isn’t an advertisement for Hilton; your mileage (and accommodations) may vary.

When you sign in at the Hilton site you typically see a prompt for a user name and password along with a check box for ‘remember me’; where the site drops a site cookie to your browser.  This window also has ‘forgot your sign in’ and ‘register for site’ dialogues.

The annoying thing is that Hilton has added a check to see if you are a robot.  It seems like if the cookie isn’t found in your browser, the site will add a robot test to see if the session has a user attached.  I found the test usually involves matching text to pictures.  The annoying thing about the test is that if you often clear cookies (like many security researchers and I do) you’ll run into this robot check more often than the general public (many of whom unknowingly tolerate cookies).

If I use my password manager this test comes up after that software has filled in the username and password fields and submits that data; so my login fails.  Once that fail happens I have to complete the form and the robot test manually and then submit.

It’s important to understand why Hilton and these other companies are using this technology.  The reason is that Hilton and others are seeing their websites ‘scraped’.  Website scraping happens when someone writes a program that goes to a website and then proceeds to interrogate many or all of the options presented in order to record the information.  Hilton doesn’t put a limit on how long I can use their website as long as I keep using it.  These web scrapers can use lots of processor time by programmatically searching through Hiltons properties on various dates and recording the accommodations available and the the rates for those accommodations.

What Hilton and others using these robot tests are doing is simply trying to ward off programs accessing their website and data.

It is mildly annoying but I’m still spending lots of time at Hilton properties.