How to set the correct username and password textboxes?

Question

I have a login screen with a user name and password but it also has a company field which is kind of like having a domain.

The problem is that the browsers are using the domain box like the username so when you save the password in the browser, if you type the domain it fills the password in the password box, then all you need to to is add the username which is most likely that computer user. It is obviously a serious security problem.

E.g. User: Tom, Domain: Netweb, Pass: test

Tom logs in once and clicks to save his password. The next time he comes back, he enters Netweb into the domain and presses return, it fills the password which was saved for that domain and then he can enter his username afterwards.

What can I do about this? Is there a way to set the username so that it doesn't use the company or a way to use the top two before adding the password?

My code is below:

<tr class="center">
    <td class="center">User Name
        <br />
        <asp:TextBox ID="txtUser" runat="server"></asp:TextBox>
    </td>
</tr>
<tr class="center">
    <td class="center">Company
        <br />
        <asp:TextBox ID="txtCompany" runat="server"></asp:TextBox>
    </td>
</tr>
<tr class="center">
    <td class="center">Password
        <br />
        <asp:TextBox ID="txtPass" runat="server" TextMode="Password"></asp:TextBox>
        <br />Remember me?
        <asp:CheckBox ID="chkPersistCookie" runat="server" AutoPostBack="false" />
        <br />
        <br />
        <asp:Button ID="btnSubmit" runat="server" Text="Login" CssClass="center" OnClick="btnSubmit_Click" />
        <br />
        <asp:Label ID="lblMessage" runat="server"></asp:Label>
        <br />
        <asp:RequiredFieldValidator ID="RequiredFieldValidator1" runat="server" ControlToValidate="txtUser" ErrorMessage="Please enter a user name" ForeColor="Red"></asp:RequiredFieldValidator>
        <br />
        <asp:RequiredFieldValidator ID="RequiredFieldValidator3" runat="server" ControlToValidate="txtCompany" ErrorMessage="Please enter a company" ForeColor="Red"></asp:RequiredFieldValidator>
        <br />
        <asp:RequiredFieldValidator ID="RequiredFieldValidator2" runat="server" ControlToValidate="txtPass" ErrorMessage="Please enter a password" ForeColor="Red"></asp:RequiredFieldValidator>
    </td>
</tr>

Answer 1

What you're facing here is known as autocomplete attribute for Form Values. When you submit a form, Browser saves the form values for further usage on the very same page. Browser sometimes also provides the user ability to Save the Password for the very website.

It is something like this

<input type="text" name="someInputName" autocomplete="off|on" />

But remember, even if the browser saves the data for the autocomplete. It will never ever save the Passwords of the user for the autocomplete feature. They're not saved anywhere until the user allows the software to do so.

What you're facing here is the Form Autocomplete feature by Browsers. In this case, Browser saves the User's data and then you can just either remove that Data from the Browser by going to the Settings of the browser and further more under the hood, and there selecting the Saved passwords, and removing the password for your site.

Otherwise, you have no control in preventing what a user want to do. But, as Google does. You can implement their idea of the Security.

What they do is that they show you an input box, of Password type and then they write the Email address that is associated with the account. This way, you will trick the Browser and the browser would think that you require something else and not the password for him.

There are some other things that you can do too. Like, getting the user's Email address on one page, and then getting Password on the next page—like Google does now.

Answer 2

If the problem is just with automatic prompting of password in the textbox then you need to disable AutoComplete property of the textbox