I have an existing asp.net mvc web application which I would like to stop browsers from auto remembering passwords for next time. Can I do this without needing to change the input autocomplete="off" on the password as whilst I can see this should resolve future ones any one who has already done this action can probably still login as the password is cached.
Asked
Active
Viewed 6,192 times
2 Answers
3
Indeed autocomplete="off" will do the trick. You'll see it being used here in SO as well (top right):
<input style="display: inline-block; width: 188px; max-width: 188px;" name="q" placeholder="search" value="" tabindex="1" autocomplete="off" maxlength="240" type="text">
You can add it to your input using Razor:
@Html.TextBoxFor(model => model.Input, new { autocomplete="off" })
You can also target all of them at once with jQuery:
$(document).ready(function() {
$("input:text, form").attr("autocomplete", "off");
})
For the caching part, have a look at this excerpt from "How to Turn Off Form Autocompletion" (MDN) (the whole document is worth a read):
Setting
autocomplete="off"here has two effects:
- it stops the browser saving field data for later autocompletion on similar forms though heuristics that vary by browser.
- it stops the browser caching form data in session history. When form data is cached in session history, the information the user has filled in will be visible after the user has submitted the form and clicked on the Back button to go back to the original form page.
In some case, the browser will keep suggesting autocompletion values even if the autocomplete attribute is set to off. This unexpected behavior can be quite puzzling for developers. The trick to really force the no-completion is to assign a random string to the attribute like so :
autocomplete="nope"Since this random value is not a valid one, the browser will give up.
You should also check if this behavior is consistent between all major browsers (depending on what browser support you are after).
Update: Michael Liu has noted in the comments that "Modern browsers ignore the autocomplete attribute on password fields", in which case I am not aware of a legitimate solution.
You could try placing an additional input field of type password on top of your actual one and set it to hidden, the browser should attempt to autocomplete that instead:
<!-- before your actual password field -->
<input style="display: none;" type="password" name="pwdplaceholder"/>
...it is however messing with browser behavior which is not best practice.
Also have a look at another SO question (shared by Michael Liu in the comments).
-
Has this actually answered the question? From OP: "I can see this should resolve future ones any one who has already done this action can probably still login as the password is cached." – Jamie Rees Jan 25 '16 at 15:57
-
1Modern browsers ignore the `autocomplete="off"` attribute on password fields. – Michael Liu Jan 25 '16 at 16:06
-
1@MichaelLiu isn't what `autocomplete="nope"` per the excerpt above is supposed to achieve? – trashr0x Jan 25 '16 at 16:11
-
1@trashr0x: That doesn't work either. I suppose I should have said *Modern browsers ignore the `autocomplete` attribute on password fields.* – Michael Liu Jan 25 '16 at 16:15
-
@MichaelLiu is there a real workaround then? How about hidden input fields to trick the browser to fill those instead? – trashr0x Jan 25 '16 at 16:19
-
1@trashr0x: See http://stackoverflow.com/questions/32369/disable-browser-save-password-functionality (and ignore the accepted answer). – Michael Liu Jan 25 '16 at 16:30
-
@MichaelLiu thanks, I believe the non-accepted answers propose similar approaches to my update above. I'll update accordingly. – trashr0x Jan 25 '16 at 16:35
1
You can try using this (Preventing autofilling with autocomplete="new-password"):
autocomplete = "new-password"
For example:
@Html.PasswordFor(m => m.NewPassword, new { @class = "form-control", autocomplete = "new-password" })
And this is the Browser Compatibility:
