Input Type=Password, Don't Let Browser Remember the Password

Input type=password, don't let browser remember the password

Try using autocomplete="off". Not sure if every browser supports it, though. MSDN docs here.

EDIT: Note: most browsers have dropped support for this attribute. See Is autocomplete="off" compatible with all modern browsers?

This is arguably something that should be left up to the user rather than the web site designer.

How to prevent a browser from storing passwords

Thank you for giving a reply to me. I followed the below link

Disable browser 'Save Password' functionality

I resolved the issue by just adding readonly & onfocus="this.removeAttribute('readonly');" attributes besides autocomplete="off" to the inputs as shown below.

<input type="text" name="UserName" autocomplete="off" readonly 
onfocus="this.removeAttribute('readonly');" >

<input type="password" name="Password" autocomplete="off" readonly 
onfocus="this.removeAttribute('readonly');" >

This is working fine for me.

Disable browser 'Save Password' functionality

I'm not sure if it'll work in all browsers but you should try setting autocomplete="off" on the form.

<form id="loginForm" action="login.cgi" method="post" autocomplete="off">

The easiest and simplest way to disable Form and Password storage prompts and prevent form data from being cached in session history is to use the autocomplete form element attribute with value "off".

From https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

Some minor research shows that this works in IE to but I'll leave no guarantees ;)

@Joseph: If it's a strict requirement to pass XHTML validation with the actual markup (don't know why it would be though) you could theoretically add this attribute with javascript afterwards but then users with js disabled (probably a neglectable amount of your userbase or zero if your site requires js) will still have their passwords saved.

Example with jQuery:

$('#loginForm').attr('autocomplete', 'off');

Prevent Chrome from prompting to save password from input box?

One solution or workaround is to add <input type="password" style="display:none"/> above the real password input box. Chrome only tries to save the first password it finds and if it's blank it won't throw up the dialog to save it.

Prevent browser from remembering credentials (Password)

if a site sets autocomplete="off" for a form, and the form includes username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits this page.

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

You should also set autocomplete="off" on your input as well as your form.

Google Chrome release notes:

The Google Chrome UI for auto-complete request varies, depending on whether autocomplete is set to off on input elements as well as their form. Specifically, when a form has autocomplete set to off and its input element's autocomplete field is not set, then if the user asks for autofill suggestions for the input element, Chrome might display a message saying "autocomplete has been disabled for this form." On the other hand, if both the form and the input element have autocomplete set to off, the browser will not display that message. For this reason, you should set autocomplete to off for each input that has custom auto-completion.

autocomplete ='off' is not working when the input type is password and make the input field above it to enable autocomplete

Browser's normally have two related yet different features regarding forms:

  • Form auto-complete, where items of <input type="text"> type (and similar) collect typed values and offer them back in the form of a drop-down list.
    (It's a simple feature that works pretty well.)

  • Password manager, where browser prompts to remember username/password combinations when it detects you've submitted a login form. When returning to the site, most browsers display available usernames in a drop-down box (Firefox, Chrome, Internet Explorer...) but some have a toolbar button (Opera). Also, Chrome highlights the fields in hard-coded yellow.

    (This depends on heuristics and might fail on certain pages.)

There's an edge case with forms tagged as autocomplete="off". What happens if it's a login form and the user has previously stored a username/password? Actually removing the password from the local database looks like inappropriate so probably no browser does so. (In fact, data from form auto-complete is not erased either.) Firefox decides to give power to the user: you have a password, so I'll let you use it. Chrome decides to give power to the site.

HTML - Disable Password Manager

This works in the current Firefox (51), Chrome (55), Edge (38) and IE (11):

Use three different hidden password inputs with three different values. This seems to prevent the browser from activating the password manager because it cannot guess which of the three values is the new password to use.

<form name="testform" action="index" method="post"
      autocomplete="off">

    <input name="disable-pwd-mgr-1" type="password" id="disable-pwd-mgr-1" style="display: none;" value="disable-pwd-mgr-1" />
    <input name="disable-pwd-mgr-2" type="password" id="disable-pwd-mgr-2" style="display: none;" value="disable-pwd-mgr-2" />
    <input name="disable-pwd-mgr-3" type="password" id="disable-pwd-mgr-3" style="display: none;" value="disable-pwd-mgr-3" />

    <label for="protected-input">Protected Input</label>
    <input autocomplete="aus" type="password" size="16" maxlength="16" id="protected-input" name="protected-input" accept="numbers" />

    <button name="next" id="next" type="submit" value="Next">
        NEXT
    </button>
</form>

Over the last years, Browser manufacturers have started to ignore the "autocomplete=off" option for password forms. For example, see the change issue for Firefox.

The reasoning is simple: A lot of websites want to disable auto-complete for login forms based on a false understanding of security. Allowing users to store passwords in secure password managers (as provided today by current browsers) is not a security risk. In fact, it helps security by allowing users to use secure and individual passwords for different websites.

So, don't try to disable browser password managers because you think this would increase security for your users. It doesn't.

There might be scenarios where you don't want a password manager to pop up for example because the password entered is a one-time-password or tan that is of no use a second time. But in the case of a one-time-password / tan, why use a password input at all? Just use a normal input.

Discussion on the issue on Security Stackexchange


Related Topics

White Space Showing Up on Right Side of Page When Background Image Should Extend Full Length of Page

How to Truncate Table Cells, But Fit as Much as Content Possible

How to Vertically Center a <Span> Inside a Div

Css: Workaround to Backdrop-Filter

How to Change the Color of Font Awesome's Cog Icon

Pick Images of Root Folder from Sub-Folder

Chrome Rendering Issue. Fixed Position Anchor with Ul in Body

Css3 Transform Not Working

Img Tag Displays Wrong Orientation

CSS Selector "(A or B) and C"

How to Make a Transparent Canvas in HTML5

How Does One Use the Onerror Attribute of an Img Element

Audio Capturing with HTML5

Convert a SQL Query Result Table to an HTML Table for Email

How to HTML Encode/Escape a String? Is There a Built-In

Space Before Closing Slash

Change the Color of a Bullet in a HTML List

How to Show Dots ("...") in a Span with Hidden Overflow


Leave a reply



Submit