Wednesday, 2 March 2016

Best way to disable browser Autocomplete on web form field

Please think carefully about this. It makes sense to disable saving credit card information etc, but unless you are a bank, preventing password autofill can significantly decrease how many users bother to login to your site, especially on phones where entering passwords on cramped keyboards is a lot of effort.
Another reason you'd want to do this is so password, captcha, and credit card information doesn't get filled in. It can be a really valid thing to do in other situations though - such as in user-management forms - adding / updating a user - you almost never want passwords to be auto completed when admining the set of users in a large system.

Firefox 30 ignores autocomplete="off" for passwords, opting to prompt the user instead whether the password should be stored on the client. Note the following commentary from May 5, 2014: According to Mozilla developer documentation the form element attribute autocomplete prevents form data from being cached in older browsers.
Autocomplete is only defined in the HTML 5 standards, so it will break any validations you run against HTML 4.*

 type="text" name="foo" autocomplete="off" />

In addition to autocomplete=off, you could also have your form fields names be randomized by the code that generates the page, perhaps by adding some session-specific string to the end of the names. When the form is submitted, you can strip that part off before processing them on the server side. This would prevent the web browser from finding context for your field and also might help prevent XSRF attacks because an attacker wouldn't be able to guess the field names for a form submission.

Most of the major browsers and password managers (correctly, IMHO) now ignore autocomplete=off.

Why? Many banks and other "high security" websites added autocomplete=off to their login pages "for security purposes" but this actually decreases security since it causes people to change the passwords on these high security sites to be easy to remember (and thus crack) since autocomplete was broken.

Long ago most password managers started ignoring autocomplete=off, and now the browsers are starting to do the same for username/password inputs only.

Unfortunately bugs in the autocomplete implementations insert username and/or password info into inappropriate form fields, causing form validation errors, or worse yet, accidentally inserting usernames into fields that were intentionally left blank by the user.

What's a web developer to do?

If you can keep all password fields on a page by themselves, that's a great start as it seems that the presence of a password field is the main trigger for user/pass autocomplete to kick in. Otherwise, read the tips below.
Safari notices that there are 2 password fields and disables autocomplete in this case, assuming it must be a change password form, not a login form. So just be sure to use 2 password fields (new and confirm new) for any forms where you allow
Chrome 34 unfortunately will try to autofill fields with user/pass whenever it sees a password field. This is quite a bad bug that hopefully they will change to the Safari behavior. However, adding this to the top of your form seems to disable the password autofilling:

<input type="text" style="display:none">
<input type="password" style="display:none">

the answer is autocomplete="off"

No comments:

Post a Comment

Hit me with a comment!