Should autocomplete="off" be used for all sensitive fields?

Question

What are your thoughts about this issue in regards to an e-commerce environment?

Do you think it is wise to turn autocomplete off on all sensitive input fields such as passwords (for log-in areas), or will this just inconvenience the client?

Version 34.0.1847.116 of Chrome now ignores autocomplete="off" by default. — bmeding, Apr 11 '14 at 15:23

score 38 · Answer 1 · answered Jun 14 '10 at 20:42

38

I hate websites that do that. It is the client's decision if they want to save passwords or not. What is particularly irksome is that this attribute breaks OS X's native KeyChain support. So, even though the user has stored his password in a secure file, and authorized themselves and the application to use it, the website still thinks it knows better. Just plain annoying.

answered Jun 14 '10 at 20:42

James Sumners

14,485
10
59
77

+1. I'll accept it for CC# fields and for logging into my bank's website, but for most anything else it's just really annoying. – afrazier Jun 18 '10 at 01:40
there are plugins that can turn it on again, the purpose is that user think what he want to write in that field and not just select stuff he already entered. plus saving password on every browser you use for business is a bad idea. – IAdapter Jun 20 '10 at 14:33
2

Again, it is up to the _user_ to make that decision. I consider this tantamount to resizing the browser window or trying to disable the context menu. It is not the web site's place to screw with the client's software. – James Sumners Jun 21 '10 at 12:35
Modern versions of web browsers now store the autocomplete saved credentials encrypted. One has to type in their Windows account login in order to unlock it. Any admin doing a password reset on the account destroys the key to the file so the saved credentials are lost. Disabling autocomplete doesn't make anything more secure. It just provides a sense of false security and can reduce security since users will just reuse or write down more passwords instead. – rbeede Jun 19 '12 at 19:16

Damien Dennehy · Answer 2 · 2010-06-17T21:08:15.053

5

An eCommerce application I worked on several years ago underwent a security audit and one of their recommendations was to disable autocomplete for sensitive fields.

It wasn't a strict requirement, but it probably will be at some point, given how eCommerce standards are these days..

edited Jun 17 '10 at 21:08

answered Jun 14 '10 at 20:52

Damien Dennehy

3,937
2
19
21

+1 I have also seen this and I agree that some data should not be stored, such as CCNs. – rook Jun 15 '10 at 06:23

Justin Ethier · Answer 3 · 2010-06-17T01:42:45.497

4

Unless it is a highly-secure site, I would tend to leave autocomplete on. If it is for a password field, the browser will prompt the user if they want to save the information, at which point the user can make their own decision.

edited Jun 17 '10 at 01:42

answered Jun 14 '10 at 20:40

Justin Ethier

131,333
52
229
284

score 3 · Answer 4 · answered Jun 14 '10 at 20:45

3

I really dislike that when I start to type in my credit card number and it lists all of the numbers I have used in the past, as well as the 3 digit code. Not cool IMO.

answered Jun 14 '10 at 20:45

Rob Goodwin

2,676
2
27
47

The page authors should set this, but there should be a way to specify "don't save the contents of stuff I enter on secure pages" and if there is...WHERE IS IT? :D – Broam Jun 14 '10 at 20:46
You must think its really cool when spyware digs though the cache and swiped your ccn. – rook Jun 15 '10 at 06:22
Maybe tell your browser not to save it when it asks? Or turn off saving passwords all-together? Or erase them from the history? You do not present a reason why websites should be overriding the wishes of the client and their browser configuration. Also, you may be referring to Google Wallet's Chrome integration to fill-in credit card numbers ... those aren't even stored in the browser profile. – Jason Jun 11 '15 at 22:38

score 0 · Answer 5 · answered Jun 14 '10 at 20:42

0

It depends what you mean by e-commerce. In Internet banking you should disable autocomplete. In online shopping - not necessarily.

It's worth remembering that autocomplete does not force remembering passwords. User has to agree to store their credentials, so they always can reject.

answered Jun 14 '10 at 20:42

el.pescado - нет войне

18,889
4
46
89

I'd actually prefer the other way. With internet banking, I rarely enter anything critical like a credit card number. I enter it all the time with e-commerce. – ceejayoz Jun 14 '10 at 20:49
PS. Credit card number field is a sensitive field. Login/password for an online store IMO are not sensitive fields. – el.pescado - нет войне Jun 14 '10 at 21:05

score 0 · Answer 6 · answered Jun 14 '10 at 20:46

0

I concur. By habit, I leave autocomplete on. However, there was a project for the air force I was working on that had a requirement to disble autocomplete. Really depends on your requirements.

answered Jun 14 '10 at 20:46

Andy Evans

6,997
18
72
118

score 0 · Answer 7 · answered Jun 14 '10 at 20:49

0

I actually don't think i've ever seen "autocomplete" work on a password field.

Autocomplete(when you start typing something in a form field, and the browser popups up a list of suggestions), and asking the browser to remember your user name and password are two different things.

If you're talking about the browser feature that remembers your username and password, i'm not aware of a way for you to disable that on the user's machine.

answered Jun 14 '10 at 20:49

MiguelR

29
1

At least in Safari on OS X, where usernames and passwords are stored in the system KeyChain by default, setting `autocomplete="off"` on a login form will prevent autofill. An example is searscard.com. – James Sumners Jun 14 '10 at 20:54

score 0 · Answer 8 · answered Jun 14 '10 at 20:49

0

I use password/form managers like 1Password and RoboForm specifically to get around websites that disable autocomplete; these add-ons typically ignore the website's preferences in favor of their own more sophisticated logic.

answered Jun 14 '10 at 20:49

Craig Walker

49,871
54
152
212

score 0 · Answer 9 · answered Jun 18 '10 at 00:54

Most e-commerce sites disable autocomplete for credit card fields. They store and redisplay the info when an authenticated user returns, then only require the user to re-enter the CVV. This way the site gets users to sign up (otherwise, they'd have to re-enter the full CC info every time), keeps the CC info masked on subsequent visits, and only burdens the user with entering a three-digit number. (It's also a small way of building secure practice around CC numbers so users will hopefully be more protective of them.)

Keep in mind that setting autocomplete on/off only addresses confidentiality of data for shared environments, i.e. more than one person accesses the same browser. For example, if your app were intended for a classroom, then it would make more sense to disable autocomplete entirely since the app will be re-used in the same browser by many different people.

Consider it an (in)convenience feature, not a security feature. You can't protect users from every dumb mistake when sharing browsers (like not logging out) and, to be nicer to dumb users, it won't have any bearing on client-side attacks like keyloggers. If the shared environment isn't secure, then your app can't do much to protect its users.

Should autocomplete="off" be used for all sensitive fields?

9 Answers9

Linked