2

I read a lot regarding password autocomplete, whether to let the browser to autocomplete the user-password for login or not.

Although a lot of information regarding this is not updated with the new versions of the browsers.

Solutions I tried:

When I tried to disable the password autocomplete by 

autocomplete="off"
autocomplete="new-password"
autocomplete="nope"
...

Even tried to make the field readonly and in js to remove the readonly - didn't worked.

Tried to make another password field with display: none - No luck.

One step back:

So, I was trying to figure why the browsers ignores my needs and tried to find sense.

I took one step back and asked whether it is a good practice to disable password autocomplete.

I read that disabling autocomplete might weakens your security (as the user will use a weak password in order to remember it).

My question is what is the best practice here? should a website let password autocompletion or not?

Thanks

omri_saadon
  • 10,193
  • 7
  • 33
  • 58
  • possibly duplicate https://stackoverflow.com/questions/39462123/should-i-prevent-password-autocomplete – Vikas Jadhav Oct 24 '18 at 07:24
  • @VikasJadhav, This question is 2 years ago, as I mentioned the browsers now behave differently to some attributes. I am seeking for the most updated information. – omri_saadon Oct 24 '18 at 07:26
  • Today i ran this issue in one of my projects too. MDN offer disable autocomplete plugin: "This plugin will randomize input name attribute by default. It will restore back to original field name when submitting form. This is for preventing auto completion for all browsers (includes third-party auto-completeion extensions) not just for Google Chrome.". https://terrylinooo.github.io/jquery.disableAutoFill/ – A. Meshu Oct 30 '18 at 18:45
  • @A.Meshu, To be honest, I think it's really bad UX experience, that's just my opinion. – omri_saadon Oct 30 '18 at 18:47
  • I think UX experience should not pre defined by the browser, on the other hand if all majors browsers acting the same i guess i'm wrong (-: – A. Meshu Oct 30 '18 at 18:51

1 Answers1

2

autocomplete="off" is universally ignored by browsers. You should provide sensible autocomplete values so that password managers can provide you with sensible values in the input field. Use autocomplete="current-password" and autocomplete="username" in a login screen.

The only way to prevent autocomplete is to make sure the name of the field is nothing like "password" so that there is no indication that a password is asked for. But this is an obnoxious user design pattern.

Better is to enable autocomplete and use it to make sure you receive accurate data entries in your input fields. Helping users use a password manager improves everyone's security. The full list of autocomplete values.

Stuart
  • 1,008
  • 11
  • 14