2

Here's the scenario: I login to my site, at which point the browser asks me if I would like to save my details, I click yes. Later on I wish to change my password, so I go to the change password page. The browser automatically assumes the 'old password' input box is a login box and puts in the current password. This means all I have to do is type in a new password twice and the password will be changed.

It is easy to see how this is a potential security risk... I have tried a couple methods to override this which were:

  • Explicitly setting the input value to blank in HTML.
  • Setting autocomplete to off in HTML.
  • Using Javascript to set the value to blank (on page load, click, setTimeout).

None of my attempts thus far have worked. So my question is: Is there a cross browser solution that allows a developer to override/specifically declare where passwords should and shouldn't be filled in by the browser?

ONDoubleB
  • 320
  • 1
  • 10
  • Yes I'm on Mavericks. – ONDoubleB Jul 23 '14 at 11:39
  • If you are talking about Chrome, then no not really. There are some hacks (adding hidden inputs) but they're not nice. – Colin Bacon Jul 23 '14 at 11:41
  • Unfortunately I thought that this may be the case, thanks. – ONDoubleB Jul 23 '14 at 11:43
  • You ll probably have to go to chrome://settings/ if using chrome (settings->advanced settings->Passwords and Forms) and disable autofill :/ Same setting in Safari in Autofill tab – trainoasis Jul 23 '14 at 11:46
  • You could change the name of the inputs so autofill doesn't recognize them. But that will get messy in the backend I guess. – Jonathan Jul 23 '14 at 11:48
  • 1
    That's something else I have tried but forgotten to mention, it seems browsers only detect by `type` rather than by `id`. – ONDoubleB Jul 23 '14 at 11:50
  • duplicate problem Search first please http://stackoverflow.com/questions/2530/how-do-you-disable-browser-autocomplete-on-web-form-field-input-tag – Güven Altuntaş Jul 23 '14 at 12:00
  • Can you post some specific examples of what you've tried? I'm pretty sure I've seen the ability to disable autocomplete on "profile update" pages before... – bhawkeswood Jul 23 '14 at 14:00
  • You could also check out http://stackoverflow.com/questions/15074985/disable-autofill-on-a-web-form-through-html-or-javascript unless I'm misunderstanding your aim... – bhawkeswood Jul 23 '14 at 14:16

3 Answers3

0

Example (of what to do):
<input type="text" value="" placeholder=""></input>


Hope it helped

Oliver-H-Miller
  • 451
  • 1
  • 7
  • 19
0

Just add autocomplete="off" so the browser not touch your box anymore.

<input type="text" name="xxx" autocomplete="off" />
Wilf
  • 2,297
  • 5
  • 38
  • 82
  • As I stated in my question, my attempt of this method did not work. (Tested on OS X using Chrome) – ONDoubleB Jul 23 '14 at 19:58
  • well, what about using jquery to reset the form on page load? `$('form').each(function() { this.reset() });` – Wilf Jul 23 '14 at 20:05
0

Unfortunately it seems that, backed up by the research I have done and the response to my question, the answer is that there isn't currently a reliable, cross browser solution for this problem.

ONDoubleB
  • 320
  • 1
  • 10