Disabling password auto-complete in Firefox?

Question

Recently Firefox started ignoring autocomplete="off" for password fields, and now allows the user to save passwords all the time. We have a large application used by thousands of users, and by law we need to ensure that passwords are NEVER saved in plain text on our clients computers.

Is there any way we can prevent Firefox from saving these passwords? We found a workaround for Chrome (it only saves the first password field on the screen, so we added a hidden one before the real one), but we haven't had any luck with Firefox. As of now, the only option we have is to disable Firefox support entirely.

And yes, I realize blocking the user from saving passwords is annoying, but we have no choice ... this is a requirement imposed on us by Federal regulations.

Answer 1

This question sparked a lot of debate at the office, but we came up with a solution.

Use a button click event to submit the form (instead of a normal submit button). Then populate your hidden field, remove the value of the visible field and submit. JSFIDDLE

Click event sample:

$('#post').click(function(e) {
    var password = $("#password");
    var realPassword = $("#therealdeal");
    realPassword.val(password.val());
    password.val('');
    $('#form').submit();
});

It appears that on a submit event the browser will serialize the form and use the serlized objects values to submit. This is why you can't simply do something like

Not working sample:

$('#form').submit(function(e) {
    var password = $("#password");
    var realPassword = $("#realpassword");
    realPassword.val(password.val());
    password.val('');
});

even though the value on the dom is cleared out before a true submit happens it still reads from the serialized form object.

Tested this in IE, Firefox, and Chrome

Answer 2

Use <input type=text autocomplete=off> instead. Such a control will not be affected by password managers at all. It will not mask out the characters that the user types. Otherwise, it works the same as with type=password.

If the usability improvement (no masking out) is not acceptable to the higher powers, you need to create your own masking behaviour (catch input events, change input to “*” or some other masking character, saving the actual input in a hidden field) or find a library tool that does that for you.

Answer 3

Firefox does not store passwords in its autocomplete database; it only offers to store them in its password manager. If the user supplies a "master password" in Preferences->Security, the password manager's database in encrypted. Alternately, if you disable the password manager in Preferences->Security, the password manager will never store passwords encrypted or otherwise.

If your objective is to require that passwords be never stored in plain text, trying to prevent browsers from storing them isn't a particularly effective strategy. Users can always just keep a text file full of passwords on their desktops.

Firefox isn't alone at ignoring autocomplete="off" with respect to its password manager; Internet Explorer 11 also does that. Firefox's rationale behind this change is recorded at https://bugzilla.mozilla.org/show_bug.cgi?id=956906. In essence, the consensus is that trying to require that users memorize unique passwords for every site where they have accounts leads to weak, re-used passwords, and that the best strategy for avoiding that is to use password managers. See also this thread: https://security.stackexchange.com/questions/49326/should-websites-be-allowed-to-disable-autocomplete-on-forms-or-fields.