How to prevent a browser from storing passwords

Question

I need to stop browsers from storing the username & password values, because I'm working on a web application which contains more secure data. My client asked me to do this.

I tried the autocomplete="off" attribute in the HTML form and password fields. But it is not working in the latest browsers like Chrome 55, Firefox 38+, Internet Explorer 11, etc.

What is the best solution for this?

I have a similar situation - an internal web application with a support-tech-only area where the password unlocks unsafe features of the application. Allowing the end user access to this would be very bad, so yes, there are valid situations where you do not want passwords to be saved. Still looking for a working answer, by the way. — semmelbroesel, Sep 11 '17 at 18:24
One use case is where users share a computer, but need to log in as individuals into a webapp. — Leif Neland, Apr 06 '18 at 11:07
My solution is a bit of a hack, but I used JS to clear the field. — David Moritz, Apr 16 '18 at 14:57
I really don't recommend people do this in 2020 unless you have a very special situation. This makes security worse. Users should be using a unique password for every different service they use. Of course there's no way remember so many unique and unrelated passwords, so users need use a password manger to do this. All the big browsers have ones built in and there's lots of 3rd party options. Besides some special case exceptions, blocking password mangers will likely end up hurting your security more than helping it. — Chris, Jul 24 '20 at 08:57
@Chris - its precisely the 'special case exceptions' why there really should be a proper way of doing this. Those rare cases where the whole point is to confirm the user is still the same user, or when they are changing the password and you know (as a developer) that the saved value MUST be wrong. — Morvael, May 06 '21 at 15:11

score 50 · Accepted Answer · edited Feb 20 '18 at 13:38

50

Thank you for giving a reply to me. I followed the below link

Disable browser 'Save Password' functionality

I resolved the issue by just adding readonly & onfocus="this.removeAttribute('readonly');" attributes besides autocomplete="off" to the inputs as shown below.

<input type="text" name="UserName" autocomplete="off" readonly 
onfocus="this.removeAttribute('readonly');" >

<input type="password" name="Password" autocomplete="off" readonly 
onfocus="this.removeAttribute('readonly');" >

This is working fine for me.

edited Feb 20 '18 at 13:38

Hakan Fıstık

11,376
8
74
105

answered Dec 28 '16 at 13:13

Sree

2,214
5
22
32

`autocomplete` attribute is no longer supported by the browsers – csandreas1 Mar 20 '18 at 13:02
2

tried this, doesn't work also esp firefox dev edition – Alexander Mar 26 '18 at 18:06
My solution is a bit of a hack, but I used JS to clear the field. – David Moritz Apr 16 '18 at 14:57
on my login page (mvc project) I added: onfocus ="this.removeAttribute('readonly');", onfocusout ="this.setAttribute('readonly','readonly');" and it works as a charm! even in FireFox ‏67.0.4 ‏(64 bits)! thank you! – Developer Jun 23 '19 at 18:03
in firefox browser version 84.0b8 (64-bit) does not work. – Ajay Takur Dec 05 '20 at 06:59
This method broke the keyboard on iOS devices. The keyboard wasn't showing on Iphones. – Niklas Mar 26 '21 at 11:22

4castle · Answer 2 · 2021-04-13T07:31:58.480

39

Trying to prevent the browser from storing passwords is not a recommended thing to do. There are some workarounds that can do it, but modern browsers do not provide this feature out-of-the-box and for good reason. Modern browsers store passwords in password managers in order to enable users to use stronger passwords than they would usually.

As explained by MDN: How to Turn Off Form Autocompletion:

Modern browsers implement integrated password management: when the user enters a username and password for a site, the browser offers to remember it for the user. When the user visits the site again, the browser autofills the login fields with the stored values.

Additionally, the browser enables the user to choose a master password that the browser will use to encrypt stored login details.

Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.

For this reason, many modern browsers do not support autocomplete="off" for login fields:

If a site sets autocomplete="off" for a form, and the form includes username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.

If a site sets autocomplete="off" for username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.

This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11).

If an author would like to prevent the autofilling of password fields in user management pages where a user can specify a new password for someone other than themself, autocomplete="new-password" should be specified, though support for this has not been implemented in all browsers yet.

edited Apr 13 '21 at 07:31

answered Dec 19 '16 at 06:56

4castle

28,713
8
60
94

3

It is so, so trivially easy to reveal a password in a browser. Just open developer tools, change the input type from password to text, and voila! There it is. – Elroy Flynn Aug 20 '17 at 22:15
17

There are use cases where password manager makes no sense. Such as changing a password. autocomplete="new-password" does not work for me as at Firefox 55.0.3 x64 – Pancho Sep 15 '17 at 20:59
Thanks, worked for me and this is very simple. I am use Chome Version 64.0.3282.186 (Official Build) (64-bit) – A.Wie Mar 07 '18 at 12:13
7

In Chrome 65, `autocomplete="new-password"` does the exact opposite of what I want. It doesn't show the "would you like to update your saved password..." dialog... it just silently updates my stored password. Worse than useless - dangerous! >:( – Doug McLean Jun 06 '18 at 09:53
if this is not possible in many modern browsers, is it possible to change the password string just before the browser is going to save it? – scipsycho Mar 04 '19 at 10:44
@scipsycho That would probably work, but why would you want to handicap a security feature of the browser? – 4castle Mar 04 '19 at 17:39
@4castle you are right about that. Although, I have seen some sites do this (like my router login), what I am trying to understand here, is how a website is able to fool the browser about the password it's about to save. After, all the web browser sends that HTTPS POST message through the port which also contains the password? – scipsycho Mar 05 '19 at 12:01
This _would_ be a good answer *except* that it is usually a trivial matter to view passwords in plaintext saved in a browser. Have all modern browsers require a password to unlock the saved passwords, AND save the passwords with encryption of reasonable strength, THEN you can think about letting the browser save the password for you. – UncaAlby Dec 18 '20 at 17:27
@UncaAlby Well yes, the user should only login to their password manager if they're on a trusted device. The user can disable their password manager if they want, or it can be enforced by a group policy on the operating system to disable the password manager. – 4castle Dec 18 '20 at 18:23
@4castle you are correct, however, even a trusted device can find its way into the wrong hands. If your laptop and lost or stolen, or your home office broken into, your passwords are as good as stolen unless properly encrypted. The proper behavior of a Password Manager *should be* to always encrypt the saved passwords and always require a specific password to unlock them. If Modern Browsers are going to take on the duties of a Password Manager, that's what they need to do. That isn't the case today, so millions of passwords are at greater risk. – UncaAlby Dec 18 '20 at 20:31
@UncaAlby On Windows at least, the password manager in the major browsers use your Windows login password to encrypt the data. So the thief would need to also be logged in to your device in order to steal any passwords. – 4castle Dec 19 '20 at 00:50

score 18 · Answer 3 · edited Jun 02 '20 at 22:56

18

Here is a pure HTML/CSS solution for Chrome tested in version 65.0.3325.162 (official build) (64-bit).

Set the input type="text" and use CSS text-security:disc to mimic type="password".

<input type="text" name="username">
<input type="text" name="password" style="text-security:disc; -webkit-text-security:disc;">

Note: Works in Firefox but CSS moz-text-security is Deprecated/Removed. To fix this create a CSS font-face made only of dots and use font-family: 'dotsfont';.

Source: Get input type=text to look like type=password

The Source above contains a link to a work-around for CSS moz-text-security and -webkit-text-security property.

Source: https://github.com/kylewelsby/dotsfont

As far as I have tested this solution works for Chrome, Firefox version 59.0 (64-bit), Internet Explorer version 11.0.9600 as well as the IE Emulators Internet Explorer 5 and greater.

edited Jun 02 '20 at 22:56

Peter Mortensen

28,342
21
95
123

answered Mar 15 '18 at 16:33

Natro90

197
1
3

4

This may be a bad idea, given that the password field has some additional security properties – e.g. not being able to copy-paste the text inside it. – tXK Aug 27 '18 at 02:29
1

@tXK I agree without you.. but you can copy/paste text inside of a password field with a quick trick e.g While in chrome, right-click on the password field, goto inspect then change type="password" to type="text". – Natro90 Sep 03 '18 at 13:24
3

Copy/paste shouldn't be considered a problem in password fields, as that's the theoretical basis for password managers. Ask Troy Hunt. – Lorenzo Peña Nov 17 '18 at 14:40
I don't think its a good idea. example If we have auto filer or password manager extension how it recognize password field, there may be some option to find it ..but It not a good lesson for beginners – Khurram Shaikh Sep 23 '19 at 13:58
This was the only solution that actually worked for me on React with Chrome. – Luis Febro Mar 02 '20 at 00:26
DO NOT DO THIS! This disables the special security behavior that the password input fields have. Browsers and operating systems take extra care when handling password inputs. On macOS, when you're using a password field Chrome marks it as a "Secure Input" which protects apps that have the normal input monitoring permissions from reading it. and since the browser thinks its boring text, it might store the value for later autocompleting, but it won't store the value in an extra secure way. Chrome's autofill stores a lot of sure you can find in the `autofill` table in `Web Data` sqlite db – Chris Jul 24 '20 at 09:17

score 14 · Answer 4 · edited Aug 06 '20 at 12:34

14

I solved this by adding autocomplete="one-time-code" to the password input.

As per an HTML reference autocomplete="one-time-code" - a one-time code used for verifying user identity. It looks like the best fit for this.

edited Aug 06 '20 at 12:34

Peter Mortensen

28,342
21
95
123

answered Jun 22 '20 at 07:28

alexk

141
1
3

Strange, mdn is suggesting [`new-password`](https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#preventing_autofilling_with_autocompletenew-password), but neither does work for me in FF. – Christian Gollhardt Jan 11 '21 at 14:53

score 11 · Answer 5 · edited Feb 19 '20 at 17:45

11

You should be able to make a fake hidden password box to prevent it.

<form>
  <div style="display:none">
    <input type="password" tabindex="-1"/>
  </div>
  <input type="text" name="username" placeholder="username"/>
  <input type="password" name="password" placeholder="password"/>
</form>

edited Feb 19 '20 at 17:45

Bouke

10,025
6
49
88

answered Dec 27 '16 at 10:04

Simon Briggs

1,081
1
8
14

Genius! :) I would give it a value though, like value="x". And I would not use display:none, but an absurd location outside of the window, or a negative z-index. – FlorianB Mar 15 '18 at 00:46
what about ? – qd0r Sep 06 '18 at 11:58
1

In browser firefox 84.0b5 (64-bit) version it does not work. – Ajay Takur Dec 05 '20 at 06:11

score 7 · Answer 6 · edited Jun 02 '20 at 23:03

By default, there is not any proper answer to disable saving a password in your browser. But luckily there is a way around and it works in almost all the browsers.

To achieve this, add a dummy input just before the actual input with autocomplete="off" and some custom styling to hide it and providing tabIndex.

Some browsers' (Chrome) autocomplete will fill in the first password input it finds, and the input before that, so with this trick it will only fill in an invisible input that doesn't matter.

          <div className="password-input">
            <input
              type="password"
              id="prevent_autofill"
              autoComplete="off"
              style={{
                opacity: '0',
                position: 'absolute',
                height: '0',
                width: '0',
                padding: '0',
                margin: '0'
              }}
              tabIndex="-2"
            />
            <input
              type="password"
              autoComplete="off"
              className="password-input-box"
              placeholder="Password"
              onChange={e => this.handleChange(e, 'password')}
            />
          </div>

score 3 · Answer 7 · edited Aug 06 '20 at 04:59

I tested the many solutions and finally I came with this solution.

HTML Code

<input type="text" name="UserName" id="UserName" placeholder="UserName" autocomplete="off" />
<input type="text" name="Password" id="Password" placeholder="Password" autocomplete="off"/>

CSS Code

#Password {
    text-security: disc;
    -webkit-text-security: disc;
    -moz-text-security: disc;
}

JavaScript Code

window.onload = function () {
    init();
}

function init() {
    var x = document.getElementsByTagName("input")["Password"];
    var style = window.getComputedStyle(x);
    console.log(style);

    if (style.webkitTextSecurity) {
        // Do nothing
    } else {
        x.setAttribute("type", "password");
    }
}

JPortillo · Answer 8 · 2020-08-10T17:06:58.663

At the time this was posted, neither of the previous answers worked for me.

This approach uses a visible password field to capture the password from the user and a hidden password field to pass the password to the server. The visible password field is blanked before the form is submitted, but not with a form submit event handler (see explanation on the next paragraph). This approach transfers the visible password field value to the hidden password field as soon as possible (without unnecessary overhead) and then wipes out the visible password field. If the user tabs back into the visible password field, the value is restored. It uses the placeholder to display ●●● after the field was wiped out.

I tried clearing the visible password field on the form onsubmit event, but the browser seems to be inspecting the values before the event handler and prompts the user to save the password. Actually, if the alert at the end of passwordchange is uncommented, the browser still prompts to save the password.

function formsubmit(e) {
  document.getElementById('form_password').setAttribute('placeholder', 'password');
}

function userinputfocus(e) {
  //Just to make the browser mark the username field as required
  // like the password field does.
  e.target.value = e.target.value;
}

function passwordfocus(e) {
  e.target.setAttribute('placeholder', 'password');
  e.target.setAttribute('required', 'required');
  e.target.value = document.getElementById('password').value;
}

function passwordkeydown(e) {
  if (e.key === 'Enter') {
    passwordchange(e.target);
  }
}

function passwordblur(e) {
  passwordchange(e.target);

  if (document.getElementById('password').value !== '') {
    var placeholder = '';
      
    for (i = 0; i < document.getElementById('password').value.length; i++) {
      placeholder = placeholder + '●';
    }
      
    document.getElementById('form_password').setAttribute('placeholder', placeholder);
  } else {
    document.getElementById('form_password').setAttribute('placeholder', 'password');
  }
}

function passwordchange(password) {
  if (password.getAttribute('placeholder') === 'password') {
    if (password.value === '') {
      password.setAttribute('required', 'required');
    } else {
      password.removeAttribute('required');
      var placeholder = '';

      for (i = 0; i < password.value.length; i++) {
        placeholder = placeholder + '●';
      }
    }

    document.getElementById('password').value = password.value;
    password.value = '';

    //This alert will make the browser prompt for a password save
    //alert(e.type);
  }
}

#form_password:not([placeholder='password'])::placeholder {
  color: red; /*change to black*/
  opacity: 1;
}

<form onsubmit="formsubmit(event)" action="/action_page.php">
<input type="hidden" id="password" name="password" />

<input type="text" id="username" name="username" required
  autocomplete="off" placeholder="username"
  onfocus="userinputfocus(event)" />
<input type="password" id="form_password" name="form_password" required
  autocomplete="off" placeholder="password"
  onfocus="passwordfocus(event)"
  onkeydown="passwordkeydown(event)"
  onblur="passwordblur(event)"/>
<br />
<input type="submit"/>

score 1 · Answer 9 · edited Jun 21 '19 at 11:52

1

< input type="password" style='pointer-event: none' onInput= (e) => handleInput(e) />

function handleInput(e) {
  e.preventDefault();
  e.stopPropagation();
  e.target.setAttribute('readonly', true);
  setTimeout(() => {
    e.target.focus();
    e.target.removeAttribute('readonly');
  });
}

edited Jun 21 '19 at 11:52

Matt

1,455
4
11
27

answered Jun 21 '19 at 11:00

Andrew Andrew

11
1

An explanation would be in order. – Peter Mortensen Aug 06 '20 at 12:43

score 1 · Answer 10 · answered Apr 21 '21 at 21:55

I'm making a PWA using React. (And using Material-UI and Formik on the component in question, so syntax may seem a bit unusual...)

I wanted to stop Chrome from trying to save login credentials (because devices are shared with many users in my situation).

For the input (MUI TextField in my case), I set the type to "text" rather than "password" in order to get around Chromes detection for the store-credentials-feature. I made input-mode as "numeric" to get the keypad to pop up as the keyboard, because users will input a PIN for their password. And then, as others here described, I used text-security: disc; and -webkit-text-security: disc;
Again, careful of my code's syntax, as it's using React, MUI, etc. (React uses capital letters and no dashes, etc.)

See the parts with the // comment; the rest is just bonus for context.

<TextField
            type="text" // this is a hack so Chrome does not offer saved credentials; should be "password" otherwise
            name="pincode"
            placeholder="pin"
            value={values[PIN_FIELD]}
            onChange={handleChange}
            onBlur={handleBlur}
            InputProps={{
              endAdornment: (
                <InputAdornment position="end">
                  <RemoveRedEye
                    color="action"
                    onClick={togglePasswordMask}
                  />
                </InputAdornment>
              ),
              inputProps: {
                inputMode: 'numeric', // for number keyboard
                style: {
                  textSecurity: `${passwordIsMasked ? 'disc' : ''} `, // part of hack described above. this disc mimics the password *** appearance
                  WebkitTextSecurity: `${passwordIsMasked ? 'disc' : ''} `, // same hack
                },
              },
            }}
          />

As you can see, I have a toggle that lets you hide or show the pin (by clicking the eye icon). A similar function could be added as appropriate / desired.

const [passwordIsMasked, setPasswordIsMasked] = useState(true)
const togglePasswordMask = () => {
setPasswordIsMasked((value) => !value)

}

score 0 · Answer 11 · edited Jun 02 '20 at 22:45

0

I think it is not possible in the latest browsers.

The only way you can do that is to take another hidden password field and use it for your logic after taking value from visible password field while submitting and put dummy string in visible password field.

In this case the browser can store a dummy string instead of the actual password.

edited Jun 02 '20 at 22:45

Peter Mortensen

28,342
21
95
123

answered Dec 19 '16 at 10:00

Ratnakar Reddy

53
1
5

score 0 · Answer 12 · edited Jun 02 '20 at 22:47

While the previous solutions are very correct, if you absolutely need the feature then you can mimic the situation with custom input using text-field and JavaScript.

For secure usage, you can use any cryptography technique. So this way you will bypass the browser's password saving behavior.

If you want to know more about the idea, we can discuss that on chat. But the gist is discussed in previous answers and you can get the idea.

score 0 · Answer 13 · edited Jun 02 '20 at 22:49

Try the following. It may be help you.

For more information, visit Input type=password, don't let browser remember the password

function setAutoCompleteOFF(tm) {
    if(typeof tm == "undefined") {
        tm = 10;
    }
    try {
        var inputs = $(".auto-complete-off, input[autocomplete=off]");
        setTimeout(function() {
            inputs.each(function() {
                var old_value = $(this).attr("value");
                var thisobj = $(this);
                setTimeout(function() {
                    thisobj.removeClass("auto-complete-off").addClass("auto-complete-off-processed");
                    thisobj.val(old_value);
                }, tm);
             });
         }, tm);
    }
    catch(e){
    }
}

$(function(){
    setAutoCompleteOFF();
})

<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<input id="passfld" type="password" autocomplete="off" />
<input type="submit">

score 0 · Answer 14 · edited Jun 02 '20 at 22:52

0

One way would be to generate random input names and work with them.

This way, browsers will be presented with the new form each time and won't be able to pre-populate the input fields.

_{If you provide us with some sample code (do you have a JavaScript single-page application (SPA) app or some server side rendering) I would be happy to help you in the implementation.}

edited Jun 02 '20 at 22:52

Peter Mortensen

28,342
21
95
123

answered Dec 28 '16 at 10:58

this doesn't work - the password manager prompts even if the field has no name or id (on Firefox anyway) – Pancho Sep 15 '17 at 14:39

score 0 · Answer 15 · edited Aug 06 '20 at 04:54

0

One thing you can do is ask your users to disable saving the password for your site. This can be done browser wide or origin wide.

Something else you can do is to force the inputs to be empty after the page is loaded (and after the browser auto completed the fields). Put this script at the end of the <body> element.

userIdInputElement.value = "";
userPasswordInputElement.value = "";

edited Aug 06 '20 at 04:54

Peter Mortensen

28,342
21
95
123

answered Dec 28 '16 at 11:33

Walle Cyril

2,691
2
16
46

score 0 · Answer 16 · edited Jun 02 '20 at 22:54

I needed this a couple of years ago for a specific situation: Two people who know their network passwords access the same machine at the same time to sign a legal agreement.

You don't want either password saved in that situation because saving a password is a legal issue, not a technical one where both the physical and temporal presence of both individuals is mandatory. Now, I'll agree that this is a rare situation to encounter, but such situations do exist and built-in password managers in web browsers are unhelpful.

My technical solution to the above was to swap between password and text types and make the background color match the text color when the field is a plain text field (thereby continuing to hide the password). Browsers don't ask to save passwords that are stored in plain text fields.

jQuery plugin:

https://github.com/cubiclesoft/php-flexforms-modules/blob/master/password-manager/jquery.stoppasswordmanager.js

Relevant source code from the above link:

(function($) {
$.fn.StopPasswordManager = function() {
    return this.each(function() {
        var $this = $(this);

        $this.addClass('no-print');
        $this.attr('data-background-color', $this.css('background-color'));
        $this.css('background-color', $this.css('color'));
        $this.attr('type', 'text');
        $this.attr('autocomplete', 'off');

        $this.focus(function() {
            $this.attr('type', 'password');
            $this.css('background-color', $this.attr('data-background-color'));
        });

        $this.blur(function() {
            $this.css('background-color', $this.css('color'));
            $this.attr('type', 'text');
            $this[0].selectionStart = $this[0].selectionEnd;
        });

        $this.on('keydown', function(e) {
            if (e.keyCode == 13)
            {
                $this.css('background-color', $this.css('color'));
                $this.attr('type', 'text');
                $this[0].selectionStart = $this[0].selectionEnd;
            }
        });
    });
}
}(jQuery));

Demo:

https://barebonescms.com/demos/admin_pack/admin.php

Click "Add Entry" in the menu and then scroll to the bottom of the page to "Module: Stop Password Manager".

For that demo Chrome asks to save the password Version 65.0.3325.146 — J. Allen, Mar 08 '18 at 22:19
Confirmed. Chrome 63 does not seem to have that behavior. Looks like pressing the Enter key in Chrome 64 submits the form BEFORE the blur handler on the element is called and therefore Chrome sees the password field. However, if you click outside of the element first and then submit, Chrome doesn't complain. Seems like a bug in Chrome to me: Submitting a form should always call all relevant event handlers on the focused element before submitting as there could be validation code that might need to run that would prevent the form from submitting. Both Firefox and Edge do the right thing here. — CubicleSoft, Mar 09 '18 at 14:53
That fix works in that it hides the popup, however, there is still a way to see the password. The user can click on the 'key' icon in the chrome URL bar, and if they know the account password of the Operating System, can view the last known password entered into any password text input. As far as I know, the form doesn't even have to be submitted. Refreshing the page before submission is not even enough now. So my theory is it must be straight up recording keystrokes now into any input type=password, not reading dom elements after the fact. — J. Allen, Mar 09 '18 at 19:17
So Chrome comes with its own password DOM logger. Fantastic. That's just what everyone needed. Broken-by-design web browser feature is broken. Firefox and Edge don't have this issue. Not much can be done except hope that Google will drop the non-feature unless, of course, someone wants to go crazy and emulate a password field entirely in Javascript. — CubicleSoft, Mar 10 '18 at 06:00

score 0 · Answer 17 · answered Sep 19 '19 at 13:59

0

This worked for me:

<form action='/login' class='login-form' autocomplete='off'>
  User:
  <input type='user' name='user-entry'>
  <input type='hidden' name='user'>

  Password:
  <input type='password' name='password-entry'>
  <input type='hidden' name='password'>
</form>

answered Sep 19 '19 at 13:59

Ivan Moran

111
1
6

Beware: Not all browsers support the autocomplete attribut! – summsel Dec 18 '19 at 15:59

score 0 · Answer 18 · edited Aug 06 '20 at 12:37

0

I would create a session variable and randomize it. Then build the id and name values based on the session variable. Then on login interrogate the session var you created.

if (!isset($_SESSION['autoMaskPassword'])) {
    $bytes = random_bytes(16);
    $_SESSION['autoMask_password'] = bin2hex($bytes);
}

<input type="password" name="<?=$_SESSION['autoMaskPassword']?>" placeholder="password">

edited Aug 06 '20 at 12:37

Peter Mortensen

28,342
21
95
123

answered Apr 11 '20 at 23:38

Natdrip

866
1
9
22

user4406260 · Answer 19 · 2020-08-16T04:27:58.497

I did it by setting the input field as "text", and catching and manipulating the input keys

first activate a function to catch keys

yourInputElement.addEventListener('keydown', onInputPassword);

the onInputPassword function is like this: (assuming that you have the "password" variable defined somewhere)

onInputPassword( event ) {
  let key = event.key;
  event.preventDefault(); // this is to prevent the key to reach the input field

  if( key == "Enter" ) {
    // here you put a call to the function that will do something with the password
  }
  else if( key == "Backspace" ) {
    if( password ) {
      // remove the last character if any
      yourInputElement.value = yourInputElement.value.slice(0, -1);
      password = password.slice(0, -1);
    }
  }
  else if( (key >= '0' && key <= '9') || (key >= 'A' && key <= 'Z') || (key >= 'a' && key <= 'z') ) {
    // show a fake '*' on input field and store the real password
    yourInputElement.value = yourInputElement.value + "*";
    password += key;
  }
}

so all alphanumeric keys will be added to the password, the 'backspace' key will erase one character, the 'enter' key will terminate, and any other keys will be ignored

don't forget to call removeEventListener('keydown', onInputPassword) somewhere at the end

score -1 · Answer 20 · edited Jun 02 '20 at 23:02

It is working fine for a password field to prevent to remember its history:

$('#multi_user_timeout_pin').on('input keydown', function(e) {
  if (e.keyCode == 8 && $(this).val().length == 1) {
    $(this).attr('type', 'text');
    $(this).val('');
  } else {
    if ($(this).val() !== '') {
      $(this).attr('type', 'password');
    } else {
      $(this).attr('type', 'text');
    }
  }

});

<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<input type="text" id="multi_user_timeout_pin" name="multi_user_pin" autocomplete="off" class="form-control" placeholder="Type your PIN here" ng-model="logutUserPin">

score -1 · Answer 21 · edited Aug 06 '20 at 12:42

In such a situation, I populate the password field with some random characters just after the original password is retrieved by the internal JavaScript code, but just before the form submission.

NOTE: The actual password is surely used for the next step by the form. The value is transferred to a hidden field first. See the code example.

That way, when the browser's password manager saves the password, it is not really the password the user had given there. So the user thinks the password has been saved, when in fact some random stuff is what got saved. Over time, the user would know that he/she can't trust the password manager to do the right job for that site.

Now this can lead to a bad user experience; I know because the user may feel that the browser has indeed saved the password. But with adequate documentation, the user can be consoled. I feel this is the way one can fully be sure that the actual password entered by the user cannot be picked up by the browser and saved.

<form id='frm' action="https://google.com">
    Password: <input type="password" id="pwd" />
    <input type='hidden' id='hiddenpwd' />
    <button onclick='subm()'>Submit this</button>
</form>

<script>
    function subm() {
        var actualpwd = $('#pwd').val();
        $('#hiddenpwd').val(actualpwd);
        // ...Do whatever Ajax, etc. with this actual pwd
        // ...Or assign the value to another hidden field
        $('#pwd').val('globbedygook');
        $('#frm').submit();
    }
</script>

@AristeidisKaravas Several banking apps on the web, uses this method to ensure that the actual password is never stored -- they fill the password field with arbitrary characters just to confuse the browsers password manager — S. Francis, Jan 28 '20 at 10:24

score -1 · Answer 22 · edited Aug 06 '20 at 12:37

-1

I just change the type attribute of the field password to hidden before the click event:

document.getElementById("password").setAttribute("type", "hidden");
document.getElementById("save").click();

edited Aug 06 '20 at 12:37

Peter Mortensen

28,342
21
95
123

answered Apr 07 '20 at 22:28

Jose Mesquita

1

score -1 · Answer 23 · answered Mar 04 '21 at 06:48

The password input box is essentially character replacement. 1.download font https://pan.baidu.com/s/1TnlCRB8cam6KgS6OarXu3w (c23n) 2.

<style>
@font-face {
    font-family: 'htmlpassword';
    font-style: normal;
    font-weight: 300;
    src: url(./css/fonts/htmlpassword.woff2) format('woff2');
}
</style>
<input type="text" autocomplete="off" name="password" style="font-family: &#34;htmlpassword&#34;;">

How to prevent a browser from storing passwords

23 Answers23

HTML Code

CSS Code

JavaScript Code

Linked

Related