When I have autocomplete off, why does it still fill HTML inputs if saved in browser?

Question

Is it possible to prevent autofill even when the creds are stored in the browsers logins and passwords?

Or is there a way to prevent creds being saved to the browser?

Or is it better to allow both of these browser features? I'm just think about security if people share machines.

I have tried autocomplete="off" on the inputs and form but it still autofills the fields if there is creds are already stored in the browser and if theyre not then it prompts to save them.

<form autocomplete="off">
  <h1>Login</h1>
  <input type="text" autocomplete="off" placeholder="username" />
  <input type="password" autocomplete="off" placeholder="password" />
</form>

Any help would be appreciated!

hmm this seem to look like something the browser you are using is doing. The form autocomplete='off' should work. Are you submitting the form? check this link https://www.w3schools.com/tags/tryit.asp?filename=tryhtml5_form_autocomplete — PeterJoe, May 19 '20 at 11:18
@PeterJoe It happens on Chrome and Firefox. I'm using Vue.js to submit the values.. so theres a function on the button that gets the values and passes them to the API. — TheGarrett, May 19 '20 at 11:25
Google actually started ignoring `autocomplete="off"` _because_ people were using it "_[without any real thought being given](https://bugs.chromium.org/p/chromium/issues/detail?id=468153#c164)_". What makes you think that disabling default browser behavior would benefit security? Don't you think the developers of the browser have thought this through? — Ivar, May 19 '20 at 11:26

twerk kid · Accepted Answer · 2020-05-19T11:38:02.400

2

It's because password autocompletion is not common autocompletion, most modern browsers are using some different mechanics to fill these fields. MDN says it can be disabled by adding autocomplete="new-password" to the fields, though it is new feature and may not work in some browsers. It surely works in Opera 68. So your code should be something like this:

<form autocomplete="off">
  <h1>Login</h1>
  <input type="text" autocomplete="new-password" placeholder="username" />
  <input type="password" autocomplete="new-password" placeholder="password" />
</form>

This question is actually answered here: Disabling Chrome Autofill

edited May 19 '20 at 11:38

answered May 19 '20 at 11:27

twerk kid

76
3

Thanks! This works but it still shows the saved password underneth the input. I guess this may be the best approach. It's stopped the username being saved as well but some reason the it still saves the password.. is there away to prevent this? – TheGarrett May 19 '20 at 11:52
@TheGarrett Have you read the other comments/answers? I recommend to reconsider your decision to prevent this. The annoyance for your users will be bigger than what you gain from a security perspective. Again, the reason why Chrome started to ignore it, is _because_ people are using it without thinking it though. – Ivar May 19 '20 at 12:01
@Ivar Yeah I'm going to keep the solution mentioned above... it still allows user to save use theyre saved passwords but at least it isnt autofilled in when the page loads. I think this is best case for my situation. – TheGarrett May 19 '20 at 12:15

score 1 · Answer 2 · answered May 19 '20 at 11:27

If your inputs are actually a username and password, I wouldn't prevent the browser from recognising them as such.

The security issue with computer-sharing is a valid point, but personally I would say this is mostly up to the user. Most computers, for example, have optional settings that the computer password needs to be entered each time autofill is used in the browser. If I knew that my computer and account was being shared, I would definitely turn this setting on.

Also, the pop-up window which asks you to save the password should have the option Never for this website (at least that's how it's phrased in safari, I would assume all browsers offer something similar). If the user knows that a password opens up very sensitive information, they should always choose this option. The browser never saves a password without the user's permission.

As to why your code doesn't work – as far as I can see, you're using the autocomplete="off" attribute correctly, and it should work that way. I think the reason must be that your browser simply ignores this attribute for password inputs. Might be worth checking if the same thing happens in other browsers?

There appear to be many examples of Chrome ignoring this attribute in the past, with various more or less messy solutions. These questions, for example:

Yeah I think the browsers were ignoring the autocomplete="off". From the other answers adding autocomplete="new-password" prevents the fields being auto filled. However this still gives the user the option to used a stored password but I think youre right it should be up to the user to control what there browsers are doing regarding passwords. Thanks for the help :) — TheGarrett, May 19 '20 at 12:13

score 0 · Answer 3 · answered May 19 '20 at 11:24

0

This is from MDN:

If a browser keeps on making suggestions even after setting autocomplete to off, then you have to change the name attribute of the input element.

I see you don't use a name attribute so please try that.

answered May 19 '20 at 11:24

Rob Moll

3,345
2
9
15

When I have autocomplete off, why does it still fill HTML inputs if saved in browser?

3 Answers3