2

I know you can disable the autocomplete on a form by setting autocomplete="off" on the form itself.

The problem I have is, I want to prevent the browser from populating the password field but do not want to disable username or other fields.

The other thing to consider is legacy data. Using autocomplete="off" on the form (or even the field itself) does not prevent existing users with saved passwords from getting a free-pass. Or ones that use web inspector, change the value of autocomplete and submit, allowing themselves to save the password.

I know it is possible to change the password field name attribute to a random/new one on every visit. Regretfully, I am working with a java/spring back-end and I am being told this is NOT easily manageable without a huge refactor/override.

How would you architect this? How would you enforce that the field always starts empty? There is no consistent way for browsers to event notify you of pre-population by a password manager - some may fire an onChange, others may not.

I guess I can move fields around with javascript and build the real form on the fly and submit it but once again, this will have implications with spring security and validations etc. Any other ideas?

Dimitar Christoff
  • 26,147
  • 8
  • 50
  • 69
  • The only thing I can think of is to insert the password input box after dom ready... – David Nguyen Dec 07 '11 at 18:32
  • 1
    You probably can't prevent it 100%, see http://www.dailygyan.com/2008/08/force-firefox-to-remember-password-of.html - But your script idea is the best solution I could think of too. – Mike Christensen Dec 07 '11 at 18:37
  • BTW, my bank's online banking uses a Flash based logon form. They say it's for security. Maybe they're thinking along the same lines as you too. – Mike Christensen Dec 07 '11 at 18:38

3 Answers3

0

I had to find this solution for IE 11 (since it ignores the autocomplete attribute). It works fine in other browsers. Really more of a work around, but it works. https://stackoverflow.com/a/20809203/1248536

Community
  • 1
  • 1
DeadlyChambers
  • 5,217
  • 4
  • 44
  • 61
0

I was recently faced with this problem, and with no simple solution since my fields can be prepopulated, I wanted to share an elegant hack I came up with by setting password type in the ready event.

Don't declare your input field as type password when creating it, but add a ready event listener to add it for you:

function createSecretTextInput(name,parent){
    var createInput = document.createElement("input");
    createInput.setAttribute('name', name);
    createInput.setAttribute('class', 'secretText');
    createInput.setAttribute('id', name+'SecretText');
    createInput.setAttribute('value', 'test1234');

    if(parent==null)
       document.body.appendChild(createInput);
    else
        document.getElementById(parent).appendChild(createInput);

    $(function(){
        document.getElementById(name+'SecretText').setAttribute('type', 'password');
    });
};

createSecretTextInput('name', null);

http://jsfiddle.net/N9F4L/

Matthew
  • 89
  • 1
  • 8
0

you can made a temp variable when onFocus is call to set a variable to true ( like userFocus ) and on the onChange attribut but a short code for reseting "value" to NULL if userFocus== false) kind of overkilling imo but migth work

EDIT

function reset()
{
if (document.getElementById("hidden").value!=" ")
{
document.getElementById("demo").value=" ";
}
else;
}

function getfocus()
{
document.getElementById("hidden").value=" ";
}
else;
}

<input type="password" id="pwd" onchange="reset()" onfocus="getfocus()"/>
<input type="hidden" id="hidden" value="not focus"/>
Gorkam
  • 11
  • 3