Strengthen Firefox autofill feature

Secure Login buttonBy default, Firefox automatically fills out usernames and passwords you have entered in a login form before. Though it is nice and speeds things up, it has also proved to be a security weakness due to how Firefox identifies a login form.

Secure Login, a Firefox extension developed by Sebastian Tschan, solves this problem and adds a couple of new tricks to password retrieval. First it deactivates autofilling and adds a status bar icon (or toolbar button) that lights on when it detects there are credentials available for the web site.

Press Alt + N (the hotkey can be customized as well), or click on the status bar icon or the toolbar button and credentials are filled out and the form is automatically submitted saving one click in the process. If more than one credential is available, a list is prompted to quickly select from it.

Secure Login also brings an interesting feature: it “doesn’t use the login form for sending the login data and therefore gets around malicious JavaScript event handlers”, explains  Tschan, which helps prevent cross-site scripting (XSS) attacks used to steal private information or access local files.

By default it adds an item to the Tools menu which, fortunately can be disabled from the extension options and it can also be configured to play the sound of your choice when credentials are detected. An excellent extension.

Mozilla Add-ons is currently closed for updates as they upgrade it so the version available there is not current. For the the latest version (reviewed here), visit the developer’s web site.

Vote for this review

Usefulness: 5/5 – Features: 5/5 – Usability: 5/5

Update: Thanks to Sebastian Tschan for the clarifications.

6 thoughts on “Strengthen Firefox autofill feature”

  1. Thanks for your article.

    Just a few corrections:
    – My name is spelled “Sebastian Tschan”.
    – The keyboard shortcut (ALT+N) can be changed since version 0.6.2
    – The “JavaScript protection on login” option doesn’t disable JavaScript temporarily, it just doesn’t use the login form for sending the login data and therefore gets around malicious JavaScript event handlers

    I already uploaded the newest Secure Login version (currently 0.7.1) to the new developers control panel (, but they have a new concept called “sandbox” and therefore the new version so far isn’t public.



Comments are closed.