HTML - Disable Password Manager

Question

Our security team requires us to disable the password manager for protected fields on the HTML form. As an example, here's an over simplified HTML form below. When I click the submit button, firefox (version 51.0.1) pops up the password manager.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
</head>
<body>
    <form name="testform" action="disable-pwd-mgr.htm" method="post"
        autocomplete="off">

        <label for="protected-input">Protected Input</label> 
        <input type="password" size="16" maxlength="16" id="protected-input"  name="protected-input" accept="numbers" />
        <input type="password" id="disable-pwd-mgr-1" style="display: none;" value="stop-pwd-mgr-1"/>
        <input type="password" id="disable-pwd-mgr-2" style="display: none;" value="stop-pwd-mgr-2"/>

        <button name="next" id="next" type="submit" value="Next">
            NEXT
        </button>

    </form>
</body>
</html>

Note that all alternatives suggested here didn't work.

autocomplete=off didn't work.
Having another hidden input field of type password didn't work.

Using the two separate additional hidden password inputs, each with different dummy values seems to work for the case when the user actually inputs a value into the protected field and clicks submit. But if the field is left blank and the submit button is clicked, the password manager pops up again. Interestingly chrome (Version 55) doesn't pop up the password manager at all, which is good. Does anyone have a better solution to this problem?

Do you use javascript on this? There's no name tags on the input so the data will never get submitted server side, are we missing something? — Martin, Jan 30 '17 at 21:19
I'm not sure that you can. Firefox and IE11 (not sure about Edge) decided that you can't override this behavior. https://bugzilla.mozilla.org/show_bug.cgi?id=956906 — Brandon, Jan 30 '17 at 21:22
[useful reference link](https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion) : `If an author would like to prevent the autofilling of password fields in user management pages where a user can specify a new password for someone other than themself, autocomplete="new-password" should be specified, though support for this has not been implemented in all browsers yet.` — Martin, Jan 30 '17 at 21:23
Are you aware that disabling password managers will result in users choosing dumb passwords? — Julian, Jan 30 '17 at 21:24
@Julian while that's probably true, it does depend on the user and their own security abilities.... — Martin, Jan 30 '17 at 21:24
Thanks for replies. Yes, I do use name tags etc. I just oversimplified my form to have just enough to replicate what firefox is doing. BTW, order (having those hidden fields before or after) doesn't seem to make any difference. — code4kix, Jan 30 '17 at 21:30
Actually, I cannot reproduce the Firefox password manager becoming active with the code posted above. It only appears after deleting the two hidden inputs. Please provide a mcve. http://stackoverflow.com/help/mcve — NineBerry, Jan 30 '17 at 21:52
Just don't enter anything in the field and hit submit. Firefox (v 51) pops up the password manager. If you comment the two hidden fields, it's the opposite effect (entering something will pop up the pwd mgr). — code4kix, Jan 30 '17 at 21:55

score 25 · Answer 1 · answered Jul 10 '18 at 19:37

25

Just wanted to add that including:

data-lpignore="true"

on your input element will disable Last Pass on that field. Not sure if other password managers have something similar.

answered Jul 10 '18 at 19:37

caseybettridge

261
3
6

2

This should be the number one answer. Also works with 1Password when having this attribute on an element: data-1p-ignore – Jørgen Jun 21 '23 at 10:26

NineBerry · Accepted Answer · 2017-05-30T14:43:42.570

21

This works in the current Firefox (51), Chrome (55), Edge (38) and IE (11):

Use three different hidden password inputs with three different values. This seems to prevent the browser from activating the password manager because it cannot guess which of the three values is the new password to use.

<form name="testform" action="index" method="post"
      autocomplete="off">

    <input name="disable-pwd-mgr-1" type="password" id="disable-pwd-mgr-1" style="display: none;" value="disable-pwd-mgr-1" />
    <input name="disable-pwd-mgr-2" type="password" id="disable-pwd-mgr-2" style="display: none;" value="disable-pwd-mgr-2" />
    <input name="disable-pwd-mgr-3" type="password" id="disable-pwd-mgr-3" style="display: none;" value="disable-pwd-mgr-3" />

    <label for="protected-input">Protected Input</label>
    <input autocomplete="aus" type="password" size="16" maxlength="16" id="protected-input" name="protected-input" accept="numbers" />

    <button name="next" id="next" type="submit" value="Next">
        NEXT
    </button>
</form>

Over the last years, Browser manufacturers have started to ignore the "autocomplete=off" option for password forms. For example, see the change issue for Firefox.

The reasoning is simple: A lot of websites want to disable auto-complete for login forms based on a false understanding of security. Allowing users to store passwords in secure password managers (as provided today by current browsers) is not a security risk. In fact, it helps security by allowing users to use secure and individual passwords for different websites.

So, don't try to disable browser password managers because you think this would increase security for your users. It doesn't.

There might be scenarios where you don't want a password manager to pop up for example because the password entered is a one-time-password or tan that is of no use a second time. But in the case of a one-time-password / tan, why use a password input at all? Just use a normal input.

Discussion on the issue on Security Stackexchange

edited May 30 '17 at 14:43

answered Jan 30 '17 at 22:28

NineBerry

26,306
3
62
93

Thank you! I tried two hidden inputs and stopped for some reason. What if that field is an SSN? And it's for one time use? And you want to prevent users for seeing it? We can probably mask it with javascript but it gets really messy right? – code4kix Jan 30 '17 at 22:42
@code4kix Your scenario could be one of the few cases where not wanting password manager for hidden entry. The answers to this question discuss some possibilities of implementation: http://stackoverflow.com/questions/22457344/masking-input-characters-without-type-password – NineBerry Jan 30 '17 at 23:20
I just want to wait a little more if others want to weigh-in before I accept your answer. – code4kix Jan 31 '17 at 18:07
I'm finding this scenario exceptionally annoying right now with my use case. I am dynamically rendering a `text` or `password` type input with Vue.js and when it removes the `password` input and replaces it with a `text` input, the password manager still appears for the `text` input where it definitely should not. I've tried using a single input and dynamically changing the `type` attr, doesn't work. I tried switching out whole input elements - doesn't work either. Chrome still presents a password manager for `text` type. – danjah Jul 14 '19 at 02:11
@danjah I suggest you ask a separate question with the right tags and the necessary code to reproduce the issue – NineBerry Jul 14 '19 at 06:23
Thanks! This seems to still work. I'm baffled that the browsers seem to agree that with 4 password inputs, it doesn't make sense to suggest remembering the password, but with 3 they still try :) – LOAS Jan 14 '20 at 06:46
When developing a backoffice and using a password input to change the password of another user in the database... We should never suggest to change the password of the current user ! And only the developer is about to know the context. – Loenix Oct 04 '21 at 14:02

score 4 · Answer 3 · answered Aug 02 '20 at 05:41

4

Modern browsers respects autocomplete="new-password" on input password fields. But it is not supported in IE.

For browser support refer: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete

answered Aug 02 '20 at 05:41

LAXIT KUMAR

459
6
7

2

`autocomplete="new-password"` is for, well, new password. As an example, this makes Firefox suggest a secure generated password, and on submit asks to store it as a new/updated password. – Mattias Wallin Aug 12 '21 at 09:16
Did not work for me in latest firefox – jjxtra Jan 01 '23 at 20:56

Patrick Moore · Answer 4 · 2017-01-30T21:22:24.590

Some browsers may respect autocomplete="off" on the input fields themselves:

<form name="testform" action="disable-pwd-mgr.htm" method="post"
    autocomplete="off">

    <label for="protected-input">Protected Input</label> 
    <input type="password" size="16" maxlength="16" id="protected-input" accept="numbers" autocomplete="off" />
    <input type="password" id="disable-pwd-mgr-1" style="display: none;" value="stop-pwd-mgr-1"/>
    <input type="password" id="disable-pwd-mgr-2" style="display: none;" value="stop-pwd-mgr-2"/>

    <button name="next" id="next" type="submit" value="Next">
        NEXT
    </button>
</form>

However, in practice, the browser (and extensions) will often ignore this directive.

score 1 · Answer 5 · answered Feb 12 '22 at 20:24

Simple hack (Feb 2022)

I tried many solutions nothing worked, simple hack is

Use text-security-disc as font-family to display font of text field as disc
Use webkit-text-security CSS property (for now it's only for Chrome, we can use that as fallback of text-security-disc font)

Example

<input type="text" name="password" class="password">

<style>
@font-face{
  font-family: text-security-disc;
  src: url("https://raw.githubusercontent.com/noppa/text-security/master/dist/text-security-disc.woff");
}
.password{
  -webkit-text-security: disc;
  font-family: text-security-disc;
}
</style>

In above example -webkit-text-security: disc; is used as fallback of font-family: text-security-disc. So in case text-security-disc is unavailable then -webkit-text-security: disc; will work.

Good Luck

score 0 · Answer 6 · answered Oct 12 '22 at 01:36

None of these work as of 10/11/2022 - the extra password fields if hidden through display:none; or visibility:hidden; are ignored by last pass.

What I did was add the following to a fake password field

<input id="disable_autofill1" name="disable_autofill1" 
  style="height:0; width:0; background:transparent;
         border:none;padding:0.3px;margin:0;display:block;" 
type="password">

This seems to be enough to minimize the size this element takes on screen (pretty much 0 for me) while still not triggering last pass's vicious algorithm. I've put it before my real password field, that's not even the right "password" field for the site, but gets detected as one either way.

TorontoJim · Answer 7 · 2023-03-29T20:32:44.500

I ran into this problem with Chrome 111 and found an easy workaround.

The password form loads in the page as type="input" but as soon as the user clicks on it, it changes to type="password". In my test with Bitwarden, it does not fill in the field.

<input type="text" name="pwd" class="loginotpinput" onclick="this.type='password';" required>

I've also tested in Edge V111 and Firefox V103. If you have a different browser/version/pwd manager and want to add a test result, that would be shiny!

Just to note as to why I'm doing this, the user is already logged in but I have a sensitive feature that I don't want them to activate <eyeroll> ACCIDENTALLY </eyeroll> so I have them re-enter their password.

Not working with LastPass, as soon as I click on the input the password is filled. — Kaizoku Gambare, Apr 20 '23 at 08:53

HTML - Disable Password Manager

7 Answers7

Simple hack (Feb 2022)

Example

Linked