Websites Intentionally Disabling Password Managers

It wasn’t just me.  The folks at Wired have noticed that some web sites are not really very password manager friendly.

I travel fairly often.  Lots of that travel is for work but I do get around on personal business and to get away.  One of my go to sites for travel is Hilton dot com.  I’ve been a Hilton customer for a long time.  I like their hotels.  I think they treat me well where ever I go.  This isn’t an advertisement for Hilton; your mileage (and accommodations) may vary.

When you sign in at the Hilton site you typically see a prompt for a user name and password along with a check box for ‘remember me’; where the site drops a site cookie to your browser.  This window also has ‘forgot your sign in’ and ‘register for site’ dialogues.

The annoying thing is that Hilton has added a check to see if you are a robot.  It seems like if the cookie isn’t found in your browser, the site will add a robot test to see if the session has a user attached.  I found the test usually involves matching text to pictures.  The annoying thing about the test is that if you often clear cookies (like many security researchers and I do) you’ll run into this robot check more often than the general public (many of whom unknowingly tolerate cookies).

If I use my password manager this test comes up after that software has filled in the username and password fields and submits that data; so my login fails.  Once that fail happens I have to complete the form and the robot test manually and then submit.

It is mildly annoying but I’m still spending lots of time at Hilton properties.

 

Advertisements