Menu
Our security team requires us to disable the password manager for protected fields on the HTML form. As an example, here's an over simplified HTML form below. When I click the submit button, firefox (version 51.0.1) pops up the password manager.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
</head>
<body>
<form name="testform" action="disable-pwd-mgr.htm" method="post"
autocomplete="off">
<label for="protected-input">Protected Input</label>
<input type="password" size="16" maxlength="16" id="protected-input" name="protected-input" accept="numbers" />
<input type="password" id="disable-pwd-mgr-1" style="display: none;" value="stop-pwd-mgr-1"/>
<input type="password" id="disable-pwd-mgr-2" style="display: none;" value="stop-pwd-mgr-2"/>
<button name="next" id="next" type="submit" value="Next">
NEXT
</button>
</form>
</body>
</html>
Note that all alternatives suggested here didn't work.
Using the two separate additional hidden password inputs, each with different dummy values seems to work for the case when the user actually inputs a value into the protected field and clicks submit. But if the field is left blank and the submit button is clicked, the password manager pops up again. Interestingly chrome (Version 55) doesn't pop up the password manager at all, which is good. Does anyone have a better solution to this problem?
533
Method 1: One of the known methods is to use autocomplete attribute to prevent browser to remember the password. In the input field, if we define autocomplete=”off” then many times the input value is not remembered by the browser.
Chrome. Click the Chrome menu in the toolbar and choose Settings. Click Passwords. Turn off Offer to save passwords.
Just wanted to add that including:
data-lpignore="true"
on your input element will disable Last Pass on that field. Not sure if other password managers have something similar.
81
This works in the current Firefox (51), Chrome (55), Edge (38) and IE (11):
Use three different hidden password inputs with three different values. This seems to prevent the browser from activating the password manager because it cannot guess which of the three values is the new password to use.
<form name="testform" action="index" method="post"
autocomplete="off">
<input name="disable-pwd-mgr-1" type="password" id="disable-pwd-mgr-1" style="display: none;" value="disable-pwd-mgr-1" />
<input name="disable-pwd-mgr-2" type="password" id="disable-pwd-mgr-2" style="display: none;" value="disable-pwd-mgr-2" />
<input name="disable-pwd-mgr-3" type="password" id="disable-pwd-mgr-3" style="display: none;" value="disable-pwd-mgr-3" />
<label for="protected-input">Protected Input</label>
<input autocomplete="aus" type="password" size="16" maxlength="16" id="protected-input" name="protected-input" accept="numbers" />
<button name="next" id="next" type="submit" value="Next">
NEXT
</button>
</form>
Over the last years, Browser manufacturers have started to ignore the "autocomplete=off" option for password forms. For example, see the change issue for Firefox.
The reasoning is simple: A lot of websites want to disable auto-complete for login forms based on a false understanding of security. Allowing users to store passwords in secure password managers (as provided today by current browsers) is not a security risk. In fact, it helps security by allowing users to use secure and individual passwords for different websites.
So, don't try to disable browser password managers because you think this would increase security for your users. It doesn't.
There might be scenarios where you don't want a password manager to pop up for example because the password entered is a one-time-password or tan that is of no use a second time. But in the case of a one-time-password / tan, why use a password input at all? Just use a normal input.
Discussion on the issue on Security Stackexchange
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
