Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Should autocomplete="off" be used for all sensitive fields?

Tags:

forms

security

What are your thoughts about this issue in regards to an e-commerce environment?

Do you think it is wise to turn autocomplete off on all sensitive input fields such as passwords (for log-in areas), or will this just inconvenience the client?

like image 219
new_guy Avatar asked Jun 14 '10 20:06

new_guy

People also ask

Should I disable autocomplete?

The answer is YES, you should disable autofill and I will tell you why. The biggest concern with autofill is privacy and how a hacker can easily obtain personal information. It is simple to trick a browser or password manager into giving up saved login credentials.

What is the use of autocomplete off?

The autocomplete attribute specifies whether a form should have autocomplete on or off. When autocomplete is on, the browser automatically complete values based on values that the user has entered before. Tip: It is possible to have autocomplete "on" for the form, and "off" for specific input fields, or vice versa.

Does Chrome ignore autocomplete off?

Chrome intentionally ignores autocomplete=“off” and autocomplete=“false”. However, they put new-password in as a special clause to stop new password forms from being auto-filled.

Why using autocomplete is a security risk?

The Dangers of AutofillAutofill knows there is a form on the page and can give up your information, allowing the hacker to collect your credentials. Research has shown that four out of five people make the common password error of using the same or similar passwords for multiple accounts.

Is autocomplete the same as autofill?

Autocomplete And Autofill # Autofill is a browser feature that allows people to save information (on the browser or the OS) and use it on web forms. autocomplete is an HTML attribute that provides guidelines to the browser on how to (or not to) autofill in fields in a web form.

1 Answers

I hate websites that do that. It is the client's decision if they want to save passwords or not. What is particularly irksome is that this attribute breaks OS X's native KeyChain support. So, even though the user has stored his password in a secure file, and authorized themselves and the application to use it, the website still thinks it knows better. Just plain annoying.

like image 112
James Sumners Avatar answered Nov 14 '22 05:11

James Sumners
Sign in to Comment

Related questions

In PHP, how does PDO protect from SQL injections? How do prepared statements work?
Simplest way to encrypt a text file in java
How can one make a web-site accessible only when someone has a dongle?
Is there a "safe" subset of Python for use as an embedded scripting language?
In which languages is it a security hole to use user-supplied regular expression?
SSLContext initialization
Is Microsoft's GUID generator cryptographically secure
HTML.Encode() - What/How does it prevent scripting security problems in ASP .NET?
How to prevent NFC tag cloning?
How safe is information contained within iPhone app compiled code?
Moving old passwords to new hashing algorithm?
Is ALLOWED_HOSTS needed on Heroku?
How does a 7- or 35-pass erase work? Why would one use these methods?
Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles
SSL Java java.io.IOException: Invalid keystore format
require('https') vs require('tls')
cleaning $_POST variables [duplicate]
How to calculate password complexity [closed]
Password does not match after being encrypted using crypt() and password_hash() function
Symfony2 create own encoder for storing password

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!