Below are the cases where we auto-populate credentials:
– The site must be an SSL site.
– The site certificate must be valid and the page must not have mixed SSL and non-SSL content.
– The login form must not be in a frame.
– The tab must not be in inPrivate mode
– The user must have exactly one credential stored for the site (If two or more credentials are stored for the same site, we won’t auto-populate, as we wouldn’t know which user is currently using the machine)
In every other case, the user can double click or tap into the field to access a dropdown of credentials to use. Adhering to these rules prevents malicious sites from harvesting credentials by pretending to be a legitimate site. Hope this clarifies things.