2

I have a web page that asks for a password. It is used my an admin no reset a users password, so I don't want the browser getting involved with remembering it.

At the moment (but only when the two passwords do not match) a dialog box appears asking "confirm password change", "please confirm which user you are changing the password for", then a list of passwords.

How can I allow an admin to enter a new user password (twice), with the display obfuscated, and the browser not "helping" by remembering the password?

ctrl-alt-delor
  • 6,726
  • 5
  • 30
  • 48

3 Answers3

1

I think is:

autocomplete="off"

as an attribute of the form or input element.

ctrl-alt-delor
  • 6,726
  • 5
  • 30
  • 48
Cruelcrome
  • 110
  • 6
1

<form autocomplete='off'> or <input type='password' name='pwd' autocomplete='off'> should work on modern browsers - part of HTML5 new form attributes.

For old browsers you could randomise the name of the password input element so that any stored values are not used. New browsers will (I think) still populate the fields, and it doesn't stop the password from being stored on the machine.

At the end of the day, your admin staff need to know that they shouldn't save this password. Is there a second factor you could introduce to the process (e.g. text them a number to confirm the action)? Can you alter the domain policy to stop browsers saving passwords?

Rob Church
  • 6,233
  • 2
  • 36
  • 46
0

Add autocomplete="false" to the button markup, no matter if it's a server control or and input type="text" button

Example:

<input type="text" autocomplete="false" name="pwd">

EDIT

Reading your question again, if you use <input type="password"/> as you should, there should be no autocomplete/autosuggest from the browser. Can you post your code, please?

Ted
  • 3,761
  • 1
  • 15
  • 30