autocomplete="new-password" ignored by Chrome 63 in Windows

Question

I have the following test page in my asp.net site:

<html>
<body>
    <form autocomplete="off">
        <input type="password" name="password" autocomplete="new-password">
    </form>
</body>
</html>

Despite of autocomplete being off for the form and new-password for the password field, Chrome 63.0.3239.132 Windows still shows a dropdown with a list of users to choose a password from.

According to this, the above should be enough to disable password autocomplete. How can I disable password autocomplete?

Answer 1

The Chrome/Chromium developers have determined that they will ignore the autocomplete="off" value in favor of making usability a bit better on consumer sites where the site developer has added the autocomplete="off" attribute aggressively/naively so that users can easily re-use values.

This flies against the spec and there are several open bugs discussing this but Google doesn't seem willing to budge.

To work around this, you will need to set all autocomplete attributes to a non-expected value. If you do this, Chrome will adhere to them. (well, basically it doesn't have a match, so it doesn't show anything)

e.g.

<!doctype html>
<html>
<body>
  <form autocomplete="do-not-show-ac">
    <input type="password" name="password" autocomplete="do-not-show-ac"/>
  </form>
</body>
</html>

It sucks when a browser vendor doesn't follow the specs, but at least there is a workaround for all of the scenarios where it makes no sense to display autocomplete info, or is a blatant security violation.