6

I need to allow users to change their password and as such I have 2 fields on a form:

  1. enter your new password
  2. re-enter your new password (values for field 1 and 2 must match)

To keep the operation private for the user, the obvious choice to use is input type="password" field - which is what I am trying to do.

However, browser password managers keep offering to auto-fill the fields, an activity which simply makes no sense in this context.

In fact, in my opinion, the practice is actively insecure, because it increases the likelihood that people will choose passwords "similar" to what they currently have, by accepting what is offered by the password manager and making minor adjustments. (just a quick note that there's no need to mention that safeguards to ensure difference can be put in place as I'm aware of this - thanks)

I have already done a lot of research to try to disable the password managers, including:

  • autocomplete="off/new-password/rubbish value" (for both form and type="password" fields, separately and at the same time)
  • using javascript to change the field from type="text" to type="password" on focus
  • inserting hidden password fields prior to the password field on the form
  • removing name and id from the field

But, while some approaches work partially, nothing works consistently.

The only thing that I can find to do that seems to have shot at succeeding is using a type="text" and displaying circles by using a dummy "password" font.

However, this approach feels like I am fighting the browsers, and I just cannot credit that there is no easy way to enter "hidden" text without having the password manager involved.

Additional notes:

Hence this question. Is there possibly any password guru out there who knows how to disable the password managers when entering hidden text? Thanks!

Pancho
  • 2,043
  • 24
  • 39
  • Possible duplicate of [How to prevent a browser from storing password](https://stackoverflow.com/questions/41217019/how-to-prevent-a-browser-from-storing-password) – Jay Sep 15 '17 at 14:21
  • @jay - thanks, I totally take your point and there are actually quite a few "variations on this theme" I have seen in my research, however none I have seen apply to "creating a new password" as opposed to "entering an existing one" – Pancho Sep 15 '17 at 14:24
  • Possible duplicate of [Disable browser 'Save Password' functionality](https://stackoverflow.com/questions/32369/disable-browser-save-password-functionality/) – CubicleSoft Mar 05 '18 at 15:37
  • You should be *Encouraging* your users to use a password manager, not making their life harder. – Stuart Jan 22 '21 at 15:41
  • 1
    @Pancho I do understand, I and others security professionals want everyone to use a password manager. Doing that improves security. Making password managers harder to use does not help. – Stuart Jan 22 '21 at 17:25
  • 2
    @Stuart - my position is that a password manager auto-populating a new password field with a previous password is at best useless and at worst actively counter productive. However as you appear to feel strongly that it adds value, please do explain how you believe it helps. Hopefully I will learn something. – Pancho Jan 22 '21 at 20:47
  • @Stuart - please make sure that any benefit you raise is cross-browser compatible for the top 4 major browser players as well as backwards compatible to edge v1 otherwise it is of no value to me. Also as you are criticizing a question asked in 2017 to be fair please make sure your answer reflects the status at that time. thanks – Pancho Jan 22 '21 at 21:18
  • @Stuart - as I always like to learn, I keenly await your rationale for your - very clearly stated - opinion as it relates to the specific context of my question. Thank you. – Pancho Jan 23 '21 at 14:37
  • @Pancho as I put in my answer below, the correct way to do this back 2017 and now is to set autocomplete="new-password" if you are getting password managers filling this in with the users current password then this is a bug. I am presuming you have a field for the current password with autocomplete="current-password" on the form as well. You should ask for the current password even if the user is loged on to protect against session takeover attacks. – Stuart Jan 24 '21 at 16:18
  • @stuart - if functionality doesn't work consistently across browsers ...which the functionality to which you refer certainly didn't at the time, as I explain clearly in my question and your answer (and you have not confirmed 100% does even now), while I have nothing against password managers in principle, your comment would have been better placed to say "password managers were inconsistent at the time and the inconsistency you saw is now fixed. The best way to achieve what you need is xyz" ...rather than sanctimonious retrospectively railing at a perfectly valid concern. – Pancho Jan 25 '21 at 06:34
  • @stuart - Finally as mentioned, your recommended behaviour is only of value to me - and I assume many others - if it works reliably across the following browsers: Edge v1 and v2, Chrome, Firefox, Safari and Opera. With this in mind, please can you confirm how recently you have tested and proven the functionality 100% across all these platforms. Thanks – Pancho Jan 25 '21 at 06:45

2 Answers2

1

Try to remove "name" attributes from the inputs

SubjectDelta
  • 405
  • 1
  • 3
  • 14
  • thanks so much for the input - I was jumping for joy when it worked for Chrome (had to remove both name and id attributes) ...but sadly it doesn't work for firefox :( – Pancho Sep 15 '17 at 14:32
1

For a new password field set autocomplete="new-password" then the password manager will use this field when the user uses the generate option to create a new password or is changing the password.

https://developers.google.com/web/updates/2015/06/checkout-faster-with-autofill

Stuart
  • 1,008
  • 11
  • 14
  • my question above explains clearly that your approach was tried and did not at the time work reliably. As you are showing a link to an article prior to my question being asked it is unlikely to offer anything new. – Pancho Jan 23 '21 at 05:26