4

It seems to be a common recommendation that password input fields should include have their autocomplete attribute set to off.

https://www.owasp.org/index.php/OWASP_Application_Security_FAQ#Am_I_totally_safe_with_these_directives.3F

https://portswigger.net/kb/issues/00500800_password-field-with-autocomplete-enabled

But it also seems that most browsers ignore this attribute and will prompt users to store their passwords regardless of its presence/value.

Is this a recommendation pointless? As a security best practice, should password fields include autocomplete="off"?

ab11
  • 19,770
  • 42
  • 120
  • 207

1 Answers1

0

No the recommendation is not pointless , the issue is that the Client side agents can also override this setting. But there are ways to get around this as well , you can follow the discussion here StackOverFlow Discussion

Soumen Mukherjee
  • 2,953
  • 3
  • 22
  • 34
  • 1
    Sorry, I'm still a bit confused, isn't it pointless to the extent that browsers override the settings? If all modern browsers override it, then it is essentially pointless?... I guess my question is: if including this attribute doesn't effect browser behavior, what is the point of the recommendation? – ab11 Jan 24 '18 at 15:18
  • So there are N number of ways the password can be cached on the Client side .. like a user might be using a password manager ( lastpass ) or there might be a password manager running as a BHO .. so the management of the password on the client side is the responsibility of the user , by providing the option to disable autocomplete in the HTML we are transferring the risk to the end user and the Server side role is clean... So this is the whole point of having this facility .. Hope this makes the concept clear... – Soumen Mukherjee Jan 24 '18 at 17:26