0

Here is a rough "save as" from a basic contact details web app that I am using:

http://dtbaker.net/files/webfiles/auto-complete-issues.html

Whenever I am on a "contact" page it puts my saved username into the "new group" box and my saved password into the "set password" box, as shown in this screenshot:

screenshot of autocomplete error

As you can see in the HTML code linked above, the non-standard autocomplete=off attribute is used on the "group" input box:

<input type="text" name="group_module_name[user][new]" autocomplete="off">

and it's even in the password input box:

<input type="password" name="password_new" autocomplete="off" value="">

The problem here is that every time I click "Save Contact" it will overwrite this contacts password with my saved password and create a new Contact Group named the same as my username.

Ideas anyone?

dtbaker
  • 3,267
  • 4
  • 23
  • 29
  • 1
    autocomplete != autofill. Try "-webkit-autofill" – mishik Jun 14 '13 at 07:33
  • possible duplicate of [Disabling Chrome Autofill](http://stackoverflow.com/questions/15738259/disabling-chrome-autofill) – JJJ Jun 14 '13 at 07:48
  • 1
    thank you, I was searching for the term autocomplete instead of autofill. the solution mentioned in http://stackoverflow.com/questions/15738259/disabling-chrome-autofill does indeed work ( ie: `
    ` at the top ) this disables all autocompletion and autofill on **all** form elements within the form (would be nice to have chrome autofill disabled on only certain fields, without disabling autocomplete)
     – dtbaker Jun 14 '13 at 08:46
  • @dtbaker using "autocomplete='off'", this problem can been solved? – TopCaver Jul 22 '13 at 09:09

2 Answers2

1

The reason browsers are ignoring autocomplete=off is because there have been some web-sites that tried to disable auto-completing of passwords.

That is wrong; and in July 2014 Firefox was the last major browser to finally implement the change to ignore any web-site that tries to turn off autocompleting of passwords.

Any attempt by any web-site to circumvent the browser's preference is wrong, that is why browsers ignore it. There is no reason known why a web-site should try to disable saving of passwords.

  • Chrome ignores it
  • Safari ignores it
  • IE ignores it
  • Firefox ignores it

What if I'm a special snowflake?

There are people who bring up a good use-case:

I have a shared, public area, kiosk style computer. We don't want someone to (accidentally or intentionally) save their password so they next user could use it.

That does not violate the statement:

Any attempt by any web-site to circumvent the browser's preference is wrong

That is because in the case of a shared kiosk:

  • it is not the web-server that has the oddball policy
  • it is the client user-agent

The browser (the shared computer) is the one that has the requirement that it not try to save passwords. The correct way to prevent the browser from saving passwords, is to configure the browser to not save passwords. Since you have locked down and control this kiosk computer: you control the settings. That includes the option of saving passwords.

In Chrome and Internet Explorer, you configure those options using Group Policies (e.g. registry keys).

From the Chrome Policy List:

AutoFillEnabled

Enable AutoFill

Data type: Boolean (REG_DWORD)

Windows registry location: Software\Policies\Chromium\AutoFillEnabled

Description: Enables Chromium's AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information. If you disable this setting, AutoFill will be inaccessible to users. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.

If you want your browser to stop autocompleting entries, then you need to configure your browser to match your preferences. No web-site, or security auditor, should attempt to force their opinions on me. There is no reason why my browser, sitting in my home, under my lock and key, should be prevented from saving anything i want - it's my browser.

Please pass the word that trying to disable autocompleting of password is wrong, browsers are intentionally ignoring anyone who tries to do it, and they should stop doing the wrong thing.™

Ian Boyd
  • 220,884
  • 228
  • 805
  • 1,125
  • Why on earth would disabling autofill on a password field be categorically wrong? It's trivially easy to imagine a situation where it's the autofill that's totally 100% wrong - e.g. an "add new user" form (where you definitely don't want the administrator's password autofilling for every new user), or an "update user info" form (where the password field should only be filled out if you want to change it). It's the browsers that are wrong here, not the developers. – Martha Nov 05 '15 at 16:04
  • @Martha Sorry, Martha. Someone somewhere thought that they didn't want users saving their passwords in the browser. Those web-sites, those security specialists, and those government auditors, all ruined it for everybody. Bonus: [You **still** have *"security specialists"* trying to convince people that they're right](https://www.appsecconsulting.com/blog/new-policy-on-autocomplete-vulnerabilities). Fortunately every browser vendor took away their ability to bother anyone with this ever again. If that is your preference, you should configure your browser not to save passwords. – Ian Boyd Nov 06 '15 at 14:42
  • 1. It's not my browser that's the issue, it's my users' browsers. 2. Disabling autofill is NOT categorically wrong, and browser makers should just get off their high horse. 3. The security vulnerabilities posed by autofill are very real. – Martha Nov 06 '15 at 15:32
  • @Martha What security vulnerability is posed by having autofill? It helps with the use of password managers - meaning it only makes things **more** secure. Requiring someone to type in their password every time **is** a security vulnerability : it encourages users to use easy to remember&type passwords. If you don't want users saving their own passwords on their own computer, then that's your preference. But you don't get to foist that opinion on others. It's their browser, not yours. And that's why every browser ignores your opinion - because your opinion is wrong. – Ian Boyd Feb 21 '19 at 16:27
  • autofill is a huge security hole because despite what browser makers (and apparently, you) think, y'all are NOT smarter than I am, and that field that you think is the username is emphatically NOT THE EFFING USERNAME. – Martha Feb 21 '19 at 23:26
  • And also, see my comments from three years ago: it is trivially easy to come up with situations where autofill is a VERY VERY BAD THING THAT SHOULD NEVER EVER HAPPEN. – Martha Feb 21 '19 at 23:28
  • @Martha Well, if you can come up with a solution where my browser will continue to auto-fill credentials, while satisfying what you want, you're free to suggest it. And with your comments from 3 years ago: i cannot see any situation where auto-fill is a bad thing. – Ian Boyd Feb 22 '19 at 00:11
  • So I take it you've never had to make an "add user" tool for use by other people, who aren't smart enough to tell their browser to go stuff itself? – Martha Feb 22 '19 at 01:47
  • In what way is add user, and the browser auto-filling the password by mistake, a security problem? Bonus: you concede that auto-filling the user+password on the login form **is** a good and right thing to do - and web-sites that try to block it on a login form are just wrong. – Ian Boyd Feb 22 '19 at 02:29
  • No, browsers that assume they know better than the web developer are just wrong: a password field does not a login form make, and we need a way to tell the browser that. But because of people like you who think you ALWAYS know better, we can't. – Martha Feb 22 '19 at 15:18
  • @Martha As long as we're clear: it is right and correct that browsers should auto-fill a user's username and password on their *honest-to-god* **login form**. After we agree on that, we can decide if we should throw away the 99% solution because it fails 1% (adding/editing a user). If you don't want to concede the first part, then a) explain why, and b) stop conflating the first part with the second. – Ian Boyd Feb 22 '19 at 18:12
  • There are forms that have a username and password but are NOT login forms. How can I tell Chrome to stop injecting the wrong username there? – LatinSuD Mar 20 '19 at 13:12
  • @LatinSuD Use the Chrome settings, or the group policy, to disable auto-fill. Alternatively, if it's not a login form, and you have access to the developer, tell him to stop using input type `password`. – Ian Boyd Mar 20 '19 at 23:07
-1

I Fixed issue by adding dummy input field with dynamic name and ID

<input type="password"  id="dummytoavoidAutoFill<?php echo date('ljSFYhisA');?>" name="dummytoavoidAutoFillFBN" value="" style="display:none;"/>
ByteHamster
  • 4,609
  • 9
  • 34
  • 51
Siva kumar Reddy
  • 69
  • 1
  • 7