bad bot error on autofilled password on chrome

I'm able to reproduce on Chrome Beta 68.0.3440.14 on Android 8.1. Curiously, Chrome 66.0.3359.158 works fine with the same set of stored credentials.

Desktop Chrome Beta is also affected.

This seems to be an issue in Chrome's autofilling of a hidden honeypot field, and it's filed in https://bugs.chromium.org/p/chromium/issues/detail?id=851808 (it specifically mentions the Ubuntu SSO login), though it's not been triaged as of Jun 18 2018.

Summary:
The password manager sees an input field with name "openid.usernamesecret" and guesses this is the username field, so it fills it with the username. However, it's set to display:none, so the user cannot see this. They fill in the visible username field, click submit, and get the error.

Changing the honeypot field name to anything that not contains "user" seems to fix the issue as well; though that'd probably defeat the purpose of this field.

This issue has been triaged and marked as a blocker for next stable release of Chrome/Chromium in Chromium's issue tracker. https://bugs.chromium.org/p/chromium/issues/detail?id=851808

This also happens when using the Lastpass Extension for Safari on iOS. It's not new, has happened for about 2 years but I only just recently reported it.

Given the prevalence of password managers now, perhaps this check just has to be retired?

I would prefer not to remove the check because it protects against automated account creation attempts. Since Chromium's filling of hidden fields has been filed as a bug, I wonder if a similar problem exists with Lastpass and could be reported to them.

Weakening our protection measures because password managers are mistakenly filling out a hidden (display:none) field which a human would never touch (the entire reason why we have the honeypot is to distinguish silly bots from humans, I would expect password managers to know this and skip those fields) sounds like a step backwards to me.

Quote from upstream bug report[1]:
> Status: Fixed
> This issue should be completely fixed in Chrome 69, starting with Canary in a day or two. As explained in #12, I won't be merging it to 68.

[1] https://bugs.chromium.org/p/chromium/issues/detail?id=851808

As a workaround until Chrome/Chromium 69 stable release, we've renamed the hidden field as "openid.secret".

Chromium 69 (stable) should now be smarter about autocompleting login forms. OTOH, we tweaked the field name and position slightly to prevent overeager autofillers from filling it up.

Looks like this bug has resurfaced as of Chrome 75. We've already updated one of our forms to not show the honeypot field, but we can't reasonably remove it from everywhere to cater to Chrome's changes.

The right fix is for Chrome to fix their heuristics and stop auto-filling fields improperly; if anyone lands on this bug report, the correct place to indicate you're also affected is not here, but in Chrome's bug tracker.

https://bugs.chromium.org/p/chromium/issues/detail?id=851808

Upstream suggested adding a "new-password" attribute to both password fields:
https://bugs.chromium.org/p/chromium/issues/detail?id=851808

not sure it would help, since some the affected field is not a password field but honeypot field, but may be worth a try.

There are numerous report touching a little bit every browser or plugin. I'm on Firefox 94 now (no plugins), and it is a real pain in the ass to get through openid request. This honeypot technique seems really flawed and generate way to many false positive to my understanding from many legit auto-filler. Its also the first time I'm confronted to this type of false positive honeypot. So after chrome/chromium/LastPass and now Firefox, I wonder what will be needed to admit there are probably some issues with the technique used.

I managed to get through using javascript console:

document.querySelector('form input[type=text]').value = ""

cf:
- https://bugs.launchpad.net/canonical-identity-provider/+bug/1949766
- https://www.youtube.com/watch?v=hcJYEh7NFas