Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to prevent a browser from storing passwords

I need to stop browsers from storing the username & password values, because I'm working on a web application which contains more secure data. My client asked me to do this.

I tried the autocomplete="off" attribute in the HTML form and password fields. But it is not working in the latest browsers like Chrome 55, Firefox 38+, Internet Explorer 11, etc.

What is the best solution for this?

like image 322
Sree Avatar asked Dec 19 '16 06:12

Sree


People also ask

How do I stop my browser from remembering my passwords?

Chrome. Click the Chrome menu in the toolbar and choose Settings. Click Passwords. Turn off Offer to save passwords.

Why You Should Never save passwords on Chrome?

Experts warn against storing passwords in Chrome after hackers target remote workers. Hackers are preying on people working from home for passwords stored in web browsers, experts claim. Keeping passwords saved in the likes of Chrome and Edge is pretty common practice and usually considered quite safe.

Why you should never allow your web browser to save your passwords?

The Browser Security RiskThis database of passwords stored in your browser is not as secure as you might think. Depending on the browser, if hackers gained access to your computer, they could actually extract the contents of the database – and get access to ALL your private logins.


2 Answers

Thank you for giving a reply to me. I followed the below link

Disable browser 'Save Password' functionality

I resolved the issue by just adding readonly & onfocus="this.removeAttribute('readonly');" attributes besides autocomplete="off" to the inputs as shown below.

<input type="text" name="UserName" autocomplete="off" readonly  onfocus="this.removeAttribute('readonly');" >  <input type="password" name="Password" autocomplete="off" readonly  onfocus="this.removeAttribute('readonly');" > 

This is working fine for me.

like image 79
Sree Avatar answered Sep 27 '22 00:09

Sree


Trying to prevent the browser from storing passwords is not a recommended thing to do. There are some workarounds that can do it, but modern browsers do not provide this feature out-of-the-box and for good reason. Modern browsers store passwords in password managers in order to enable users to use stronger passwords than they would usually.

As explained by MDN: How to Turn Off Form Autocompletion:

Modern browsers implement integrated password management: when the user enters a username and password for a site, the browser offers to remember it for the user. When the user visits the site again, the browser autofills the login fields with the stored values.

Additionally, the browser enables the user to choose a master password that the browser will use to encrypt stored login details.

Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.

For this reason, many modern browsers do not support autocomplete="off" for login fields:

  • If a site sets autocomplete="off" for a form, and the form includes username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.

  • If a site sets autocomplete="off" for username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.

This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11).

If an author would like to prevent the autofilling of password fields in user management pages where a user can specify a new password for someone other than themself, autocomplete="new-password" should be specified, though support for this has not been implemented in all browsers yet.

like image 35
4castle Avatar answered Sep 24 '22 00:09

4castle