Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to truly disable autofill and autocomplete for password fields for modern browsers?

In modern browsers the standard of autofill and autocomplete is to completely ignore autocomplete="off" for password fields that are placed in a form. And insert saved passwords, even if it's in a user management page. Although the reason is in the right place, it makes creating a user management page a huge pain.

My team's web application runs with angular 7 and currently only supports chrome. But there's a big possibility that we will need support other browsers like internet explorer, edge, firefox, etc.

I know this is a largely touched subject, and that I can find many questions with answers similar to this question (like this, or this). But every solution I've found so far has at least one big flaw.

What I've tried so far on chrome:

1) Use autocomplete="new-password"

It seems that chrome/chromium developers ignores even this for type="password".

2) Use type="text" autocomplete="new-password" with asterisk font family

This disables chrome from auto-filling the input field and hides the letters. But the big flaw is that the value is still there and can be copy-pasted in a different font family. The input field also loses the security of type="password" and any hacker can easily get the value.

3) Use -webkit-text-security

This is pretty much the same solution as the one before but this isn't even css standard and few browsers support it.

4) Replace value with *

This is the trickiest solution I've tried so far. When input value is changed I call a function in typescript that: Adds the new character to a local string, Change DOM value to * equal to the amount of characters, Return the locally saved value on (blur).

This leaves me with a large amount of problems to deal with including: Erasing any character in the string removes the last character always, In addition to the last problem the first character will always stay the same even if the value is completely erased, Having to know where in the string to remove characters.

This solution is less than ideal.

5) Disable password management for domain in browser settings

This really isn't a solution to the problem as it means that I expect the users to turn off password management for domain. It would also result in not saving the password on the login page as many users may need.

6) Randomise [name] and [autocomplete] values

By one way binding said values to a randomised string based on current time, I can ensure that the password field doesn't match any fields saved by the browser. Although many has reported that this works between all browsers, this doesn't seem to work for me at all when using chrome. For me chrome shows recommended password as long as the input is of type="password".


Solutions I've seen so far:

1) Use two input fields

This seems to me to work the same as my own solution 4). And will probably be just as troublesome to work with.

2) Use jQuery Disable Auto Fill Plugin

This seem to be very close to what I'm looking for but the problem is that it uses jQuery. All I can say is that I've been told that we're not using jQuery and that I probably won't be able to use the plugin directly.

I'm currently looking for a way to implement this using angular and would love any help or directions on this.


If you know of any solution that I haven't mentioned above, please post an answer or drop me a link in comments.

like image 289
kebbaben Avatar asked Jun 26 '19 10:06

kebbaben


People also ask

How do I turn off autocomplete on password field?

Preventing autofilling with autocomplete="new-password" If you are defining a user management page where a user can specify a new password for another person, and therefore you want to prevent autofilling of password fields, you can use autocomplete="new-password" .

Can a website disable autofill?

Turning Off Autofill in ChromeClick on Settings. In the "Autofill" section, expand the area for which you wish to disable Autofill. Toggle the setting OFF if it is on. The system will automatically save your settings.


1 Answers

The best solution I've found so far is to use type="text" on password field and use autocomplete="off" on the form and every input field in it.

I won't mark this as an answer however as it still has the great flaw of losing the type="password" security functionality. Text fields also allows spell check which can be disabled with spellcheck="false". But I've read that it's possible to override this with browser settings.

This question will remain unanswered until a better solution is proposed.

like image 124
kebbaben Avatar answered Nov 15 '22 05:11

kebbaben