Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should autocomplete="off" be used for all sensitive fields?

Tags:

forms

security

What are your thoughts about this issue in regards to an e-commerce environment?

Do you think it is wise to turn autocomplete off on all sensitive input fields such as passwords (for log-in areas), or will this just inconvenience the client?

like image 219
new_guy Avatar asked Jun 14 '10 20:06

new_guy


People also ask

Should I disable autocomplete?

The answer is YES, you should disable autofill and I will tell you why. The biggest concern with autofill is privacy and how a hacker can easily obtain personal information. It is simple to trick a browser or password manager into giving up saved login credentials.

What is the use of autocomplete off?

The autocomplete attribute specifies whether a form should have autocomplete on or off. When autocomplete is on, the browser automatically complete values based on values that the user has entered before. Tip: It is possible to have autocomplete "on" for the form, and "off" for specific input fields, or vice versa.

Does Chrome ignore autocomplete off?

Chrome intentionally ignores autocomplete=“off” and autocomplete=“false”. However, they put new-password in as a special clause to stop new password forms from being auto-filled.

Why using autocomplete is a security risk?

The Dangers of AutofillAutofill knows there is a form on the page and can give up your information, allowing the hacker to collect your credentials. Research has shown that four out of five people make the common password error of using the same or similar passwords for multiple accounts.

Is autocomplete the same as autofill?

Autocomplete And Autofill # Autofill is a browser feature that allows people to save information (on the browser or the OS) and use it on web forms. autocomplete is an HTML attribute that provides guidelines to the browser on how to (or not to) autofill in fields in a web form.


1 Answers

I hate websites that do that. It is the client's decision if they want to save passwords or not. What is particularly irksome is that this attribute breaks OS X's native KeyChain support. So, even though the user has stored his password in a secure file, and authorized themselves and the application to use it, the website still thinks it knows better. Just plain annoying.

like image 112
James Sumners Avatar answered Nov 14 '22 05:11

James Sumners