2

I have a asp.net/MVC/Razor project that the client has requested not save username and passwords. I've found multiple sites saying that autocomplete = "off" or autoCompleteType = "disable" should work, but they don't work for me in Chrome 42. I've seen sites that say autocomplete is in HTML5 and should work, but I've also seen sites that say it is NOT supported by modern browsers. My questions are:

  1. Can someone give me a definitive answer on whether there is a way to block saving passwords in modern browsers? And, if there is, how to do that?

  2. If this can't be done, can someone point me to a website that explains that this can't be done in modern browers? I don't want a stackoverflow comment or message board discussion; I need a definitive, clear, professional explanation that I can show to the client explaining why this can't be done in a simple way.

Here are a couple sites that seem to disagree with each other:

"IE11 dropped support for autocomplete=off for input type=password at both the form and element level." How to disable autocomplete for a HTML password field in IE11?

"HTML5 has an autocomplete attribute which can be specified as either on or off in a field." Autocomplete text input for HTML5?

Here is the code I've use with the autocomplete tags:

In the form:

@using (Html.BeginForm("Login", "Admin", FormMethod.Post, new { @autocomplete = "off", @autoCompleteType = "disable"}))

In the input tags:

@Html.TextBoxFor(m => m.UserName, new { @class = "span12", @autocomplete = "off", @autoCompleteType = "disable" })
@Html.PasswordFor(m => m.Password, new { @class = "span12", @autocomplete = "off", @autoCompleteType = "disable" })

I also tried enabling autocomplete through javascript:

$("input:text,form").attr("autocomplete", "off")

Also tried setting the text boxes to blanks, but the values still get populated by the browser:

$("#UserName").val("");
$("#Password").val("");
Community
  • 1
  • 1
boilers222
  • 1,901
  • 7
  • 33
  • 71
  • 1
    When you say it doesn't work, is it possible the browser has already saved the password on the site your testing after you implemented `autocomplete=off`? – mellis481 May 27 '15 at 13:51
  • Chrome [has been ignoring `autocomplete=off`](http://www.theregister.co.uk/2014/04/09/chrome_makes_new_password_grab_in_version_34/) for a year now. – DCoder May 27 '15 at 13:53
  • @im1dermike I cleared all my saved passwords from Chrome first. The username and password fields are clear when I start, but then I get the "do you want to save" prompt. If I click yes, they're right back. – boilers222 May 27 '15 at 14:45
  • @DCoder Thanks for the info. Do you know of a website I could show the client saying that autocomplete doesn't work in Chrome? My boss isn't going to let me just show them a comment on a site like this; I need an official statement. – boilers222 May 27 '15 at 14:46
  • Try [the release notes](http://googlechromereleases.blogspot.com/2014/04/stable-channel-update.html) or the related mailing list discussions [1](https://groups.google.com/a/chromium.org/forum/#!msg/chromium-dev/zhhj7hCip5c/PxbtDtGbkV0J) , [2](https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/wYGThW5WRrE). – DCoder May 27 '15 at 14:51
  • @DCoder That's perfect. Thank you! – boilers222 May 27 '15 at 14:54

1 Answers1

2

Thanks to @DCoder for finding this:

"TUESDAY, APRIL 8, 2014...Chrome will now offer to remember and fill password fields in the presence of autocomplete=off. This gives more power to users in spirit of the priority of constituencies, and it encourages the use of the Chrome password manager so users can have more complex passwords."

http://googlechromereleases.blogspot.com/2014/04/stable-channel-update.html

If anyone find any other official statements, please post it here. Thanks!

boilers222
  • 1,901
  • 7
  • 33
  • 71