Casey,

You are assuming two things about the user:

1. That they are aware that they are performing the dance. I recently listened to someone complain about the buggyness of an Intranet web-site, unaware that he was actually just stepping through the moves.

2. That they could be bothered to perform this step. “Well, I am in a hurry, and I am logged in now. I will clean it up next time I come to this site.”

Alastair,

It sounds like Safari is acting very much like Firefox does. See the next post – coming very soon.

I have seen that problem before, but I just tried to recreate it with Safari and failed.

I tried logging into a website with an incorrect password, and Safari remembered the incorrect password. I think this is actually reasonable because there are rarely any clues to the browser as to whether the login was successful or not.

But when I finally entered the correct password, Safari overwrote the incorrect password with the correct one in it’s database (after prompting a second time). I verified this by looking in the password database and verifying only one entry for that website. I also logged out and logged back in again using Safari’s password and it worked OK.

From the above description of Opera, it seems that Safari works a similar way with multiple usernames for a given website.

The trick is to make sure that you either log in successfully to a given website, or remember to remove the website from the password database. I agree this is far from an ideal situation, but I believe my browser is doing the best it can under the circumstances. What we really need is a change to the underlying technology, such as the use of HTTP digest authentication perhaps? The key here is to enable the browser to know when authentication failed.

For what it’s worth I don’t use the browser’s password database that much these days. The main reason is that I have lots of browsers on lots of machines, and AFAIK you can’t copy and merge their password databases. I am slowly migrating from a fairly weak set of password generation ‘rules’, backed up by a separate (i.e. non-browser) password database, to the PasswordComposer tool. Results are inconclusive so far, because I have difficulty remembering which accounts I have migrated and which ones I haven’t…

Opera is now free, and has an excellent solution to this problem. Opera calls it the “Magic Wand” or some such, basically the same as Password Manager or whatever. Forms with saved answers are shown with gold highlighting, which is very nice. When there are multiple saved passwords, and you use the Wand (Ctrl-Enter = magic!), it shows you all possible usernames (not passwords) and lets you choose which to use. They are listed in order of addition, and you can delete them from the same window. When this happens to me, I first check which (if any) of the saved passwords works, and then delete all the others so that the Wand is instantaneous again.