How to disable autocomplete for a HTML password field in IE11?

Question

IE11 dropped support for autocomplete=off for input type=password at both the form and element level.

Has anybody found a working solution to disable autocomplete under IE11?

Answer 1

You're much better off solving the problem of security with two-factor authentication. Hacking around the browser will (a) only work in the short-term (password managers are getting better at handling these kinds of approaches), and (b) often lead to accessibility issues, which can cost you a lot more users than your fear of legitimate password leakage. If you work in a large organization, users of assistive technology who have a tough enough time with your browser hacks can end up filing a lawsuit. (I am not speaking to this hack in particular, but generally speaking working against the browser hurts assistive technologies)

Two-factor authentication, even a sloppy implementation that just asks for something like middle name, then sets a cookie ("this browser is now allowed access without 2FA for a month"), makes it immensely more difficult for a random hacker to gain unauthorized access to an account, and keeps things better off for the users, especially those using screen readers or other assistive technology.

Disabling password managers, on the other hand, tends to lead to easy-to-type passwords rather than strong passwords. Using LastPass or similar, I can have a 24-character password (and LastPass can probably fill in fields you're trying to protect with hacks, fyi) that I would never hope to remember, and a different password for each site. When I have passwords I have to remember, they tend to be two words strung together with a symbol, such as "Dogs+Knife".

Answer 2

I'm a bit late to this, but the cleanest approach (at the time of writing) seems to be making users submit their username and password in different pages, i.e. the user enters their username, submit, then enters their password and submit. The Bank Of America and HSBC Bank websites are using this, too.

Because the browser is unable to associate the password with a username, it will not offer to store passwords. This approach works in all major browsers (at the time of writing) and will function properly without the use of Javascript. The downsides are that it would be more troublesome for the user, and would take 2 postbacks for a login action instead of one, so it really depends on how secure your website needs to be.

PS: Firefox will be following IE11's lead and ignore autocomplete="off" for password fields, as per this 'bug report' which is marked VERIFIED FIXED.