autocomplete="new-password" ignored by Chrome 63 in Windows

Question

I have the following test page in my asp.net site:

<html>
<body>
    <form autocomplete="off">
        <input type="password" name="password" autocomplete="new-password">
    </form>
</body>
</html>

Despite of autocomplete being off for the form and new-password for the password field, Chrome 63.0.3239.132 Windows still shows a dropdown with a list of users to choose a password from.

According to this, the above should be enough to disable password autocomplete. How can I disable password autocomplete?

score 12 · Accepted Answer · answered Mar 10 '18 at 00:46

12

The Chrome/Chromium developers have determined that they will ignore the autocomplete="off" value in favor of making usability a bit better on consumer sites where the site developer has added the autocomplete="off" attribute aggressively/naively so that users can easily re-use values.

This flies against the spec and there are several open bugs discussing this but Google doesn't seem willing to budge.

To work around this, you will need to set all autocomplete attributes to a non-expected value. If you do this, Chrome will adhere to them. (well, basically it doesn't have a match, so it doesn't show anything)

e.g.

<!doctype html>
<html>
<body>
  <form autocomplete="do-not-show-ac">
    <input type="password" name="password" autocomplete="do-not-show-ac"/>
  </form>
</body>
</html>

It sucks when a browser vendor doesn't follow the specs, but at least there is a workaround for all of the scenarios where it makes no sense to display autocomplete info, or is a blatant security violation.

answered Mar 10 '18 at 00:46

scunliffe

62,582
25
126
161

4

Thanks @scunliffe! My forms still autocomplete even using `autocomplete="do-not-show-ac"`. Even the code you posted above still shows autocomplete. It's so frustrating! – Yogster Mar 14 '18 at 11:03
@Yogster do you have a publicly accessible version of this code? I'd love to test it out. Also, I'm curious if it shows up on all Chrome 63+ versions... or just ones where there were already values saved? – scunliffe Mar 14 '18 at 14:08
I'll see if I can knock something together quickly and host it in heroku or something so you can repro. – Yogster Mar 14 '18 at 16:54
1

The problem I have is that the field where I *don't* want the password to autocomplete is a "password confirmation" field to perform an action that requires double-checking the user is who they say they are. The autocomplete is enabled for the login page, so we'll always have values saved. I ended up replicating a password field as a standard text input that puts its value in a hidden field and masks the characters, so it behaves as a password field. Horrendous, but I needed a quick fix! – Yogster Mar 16 '18 at 14:22
1

As of 2018-04-05 I still had an issue if I set the autocomplete attribute value to a "non-standard" value in the HTML. Using dev tools, I noticed that Chrome was changing it back to "off" on render. This workaround finally solved the issue, although it is, in my opinion a fairly clunky fix (also uses jQuery): $("input[type='text']").focus(function () { $(this).removeAttr("autocomplete").attr("autocomplete", "new-password"); }); – Chason Arthur Apr 05 '18 at 13:38
1

The same in 2020. – m1ld Mar 09 '20 at 10:51
4

It looks like chrome no longer respects new-password for any field which input type is not a password. This arms race has to stop. – Ray Suelzer Jun 04 '20 at 19:31

autocomplete="new-password" ignored by Chrome 63 in Windows

1 Answers1

Linked