[TJSomething]

In a medical setting, most computers are public. Sharing passwords is a HIPAA violation, because HIPAA requires a complete, accurate log of everyone who has looked at or modified a medical record.

My guess is that many medical computers aren't well administrated and leave autofill on, which can easily cause accidental HIPAA violations.

[bshacklett]

Disabling autofill seems like the wrong way to handle the problem, though. Autofill does not necessarily mean that passwords are being shared; it just means that the user isn't typing them in. Strong policies on the machines in question and ensuring that users aren't sharing each others environments seems like a considerably more complete solution to me. This can be facilitated by tools like https://www.imprivata.com/single-sign-on-sso. Ironically enough, disabling autofill may actually prevent this tool from providing some of the benefits it's intended to provide.

[ysavir]

While I agree that autofill on its own is not a complete solution to GP's scenario, it's certainly a potential point-of-failure, and I understand their need to eliminate as much risk as possible. While the most significant aspect to be improved is the security habits of the clients themselves, that doesn't mean that GP and their company should be prevented from doing what little they can just because Google wanted things to work their way.

[pas]

That's why there are profiles. Even in Chrome. But too in Windows.

Or that's why then the SysAdmin should disable the password manager.

It's not up to the website.

If you have an internal site, you already control the browser, then why do you want to fight the browser from the inside instead of from the outside? :o