Prevent Chrome from prompting to save password from input box?

Question

Chrome was recently updated with an annoying popup that comes down from an icon in the address bar and prompts to save a password on the page when the user submits the form. There's no other input box on this page, and no other browser prompts to save this password, so I don't know why Chrome does. It is a password, therefore it shouldn't be visible as plain text in the input box, but it's not a password that should ever be saved - it's not login credentials. It's actually quite important the user of the computer does not know this password - someone else must enter it in for them - so if the browser saves it that would be bad.

How can you prevent Chrome (and all browsers) from prompting to save this password?

<form action="/..." method="post" onsubmit="return pwFormIsSubmittable();">
    <p>Password: <input autofocus="" type="password" name="1409_password" style="width:100px" tabindex="1" autocomplete="off"></p>
    <div class="tabSubmitButtons">
        <input type="button" name="event=default" value="Cancel" onclick="window.location='...'" tabindex="3">");
        <input type="submit" value="Submit" onclick="submitForm();" tabindex="2">
        <input type="hidden" name="begin" value="Yes">
        <!-- couple other hidden inputs -->
    </div>
</form>

Answer 1

Instead of using input type password, use type text with style set to style="-webkit-text-security: disc;" which will replace the characters with dots.

<input type="text" id="password" style="-webkit-text-security: disc;">

There are other options to using the dot:

input { -webkit-text-security: none; }
input { -webkit-text-security: circle; }
input { -webkit-text-security: square; }
input { -webkit-text-security: disc; /* Default */ }

Answer found here: how to disable save password prompt in chrome

Answer 2

Current state of the Web-App vs. Browser Developer war:

Setting the password input's type and text is no longer adequate as of August 2021. Furthermore, Chrome prompts for password even if no form submission takes place. Simply detaching the password input element generates the prompt. Fer crying out loud. (Possibly triggered by a navigator fragment-only state transition used to route the browser back button onto the dialog's cancel button, which doesn't do a form submit either. There is no form element).

The following code is from a react app, but applicability should be obvious.

    let passwordInput = this.refPassword.current;
    if (passwordInput)
    {
        passwordInput.setAttribute("value",""); // overwrite the password.
        passwordInput.setAttribute("type","text"); // change the type of the input element.
    }
    // delay dismissing the dialog.
    setTimeout(()=> {
         // dismiss the dialog.
         this.props.onCancel();
    });

Without the setTimeout call, Chrome 92.0.4515.159 currently prompts to save the password with the value of the password input before the value was set to "" if the input control is detached immediately by, for example, pressing the "Cancel" button. The setTimeout call is required to prevent this behavior. Personally, I prefer this solution to using the -webkit styles, because it is -- for the meantime -- relatively portable.

For those who would defend browser developers' actions, this is the use case. The application is a single-page web app developed with react framework. The dialog in question is the configuration dialog for the Wi-Fi access point on an IoT device. The password box contains the WEP passphrase for the Wi-Fi access point (it has a visible/non-visible password decoration, and code to display "(Unchanged)" if the password has not yet been edited so that stored passwords never get sent back to the web app). The code in question prevents a password save prompt in the case where the user has clicked the cancel button, even if the password input is in error state because the password doesn't meet the the minimum-length of 8 characters required by WEP!

Clicking on save for the WEP passphrase overwrites the actual site password with the WEP passphrase. Clicking on "Never" disables saving of the main site password. So in terms of respecting user intent, the purpose here is to PREVENT the user from doing something catastrophic such as clicking the "Never" button, which will prevent password saving for the actual login dialog, where it's needed.

Is there some security motivation going on here that has caused browser developers to escalate this battle so severely? I just can't imagine what the security consequences of NOT saving a password would be.