Google chrome autofilling all password inputs

Question

My Problem

I must have turned on google to autofill for a login on my site, however it is trying to now autofill that login data whenever I want to edit my account info or edit another users account info (as an admin). It fills in my data in weird spots. The issue seems to be that Chrome auto fills any input with a type of password and then whatever the input before it is (see image below). If I put a select box before it then it won't autofill.

Google autofilling registration with login details

I obviously don't want to have to go through and delete the password/phone every time I edit a user. I also don't want my users to have to do that when they are editing their own account. How do I remove it?

What I have tried (with no success)

Adding autocomplete="off" to the form as well as both the phone and password inputs.
Adding value="" to both inputs
Changing the name= of the password input. I tried pw, pass, password, and cheese (incase chrome was picking up the name)
Adding autocomplete="off" through the jquery .attr

What I have found

I found that Google may be intentionally ignoring autocomplete: Google ignoring autocomplete

I found another user posting a similar question but the solution is not working for me: Disable Chrome Autofill

I also found another user doing a work around involving creating a hidden password field which would take the google autocomplete, I'd prefer a cleaner solution as in my case I would also need a hidden input above it to avoid both from autofilling: Disable autofill in chrome without disabling autocomplete

Try to put other hidden password field in the form. It´s a dirty hack but only solution that works to me. — Márcio Souza Júnior, May 11 '14 at 17:11
Yeah, that was one of the options I found, but I was looking to find a way that is not a hack. — Tyler, May 29 '14 at 16:29
This is driving me crazy. I can't seem to find a non-hack way to tell google the purpose of the fields on my admin pages. — ewalk, Jun 06 '14 at 09:19
Chrome might also be checking label value, not only input name. Some recommend replacing Password: with something like Password:. Didn't work for me. I also tried cleaning value with jQuery right after the page is loaded - no luck. — ZurabWeb, Sep 22 '14 at 17:43
Please check my workaround here: http://stackoverflow.com/questions/15738259/disabling-chrome-autofill/36030236#36030236 — Fareed Alnamrouti, Mar 16 '16 at 08:29

score 41 · Answer 1 · answered Sep 12 '17 at 07:53

In HTML5 with autocomplete attribute there is a new property called "new-password" which we can use to over come this issue. Following works for me.

<input id="userPassword" type="password" autocomplete="new-password">

current-password : Allow the browser or password manager to enter the current password for the site. This provides more information than "on" does, since it lets the browser or password manager know to use the currently-known password for the site in the field, rather than a new one.

new-password : Allow the browser or password manager to automatically enter the new password for the site. This might be automatically generated based on the other attributes of the control, or might simply tell the browser to present a "suggested new password" widget of some kind.

Refer: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/password

Note: You unfortunately can't dynamically change `autocomplete` field. If your password field changes roles (maybe if a known user enters their email) then you should use two password fields - one of each type. [current Chrome as of today] — Simon_Weaver, Dec 30 '18 at 08:10

Rob Porter · Answer 2 · 2017-02-07T18:07:03.670

This can be solved without hacks, but it is not necessarily intuitive. There are two weird decisions that Chrome makes. First, Chrome ignores autocomplete="off" in its parsing, and second, Chrome assumes the field that comes before a password field must be a username/email field, and should be autocompleted as such.

There are ways around this though that leverage the HTML5 autocomplete attribute spec.

As you will see in the link below, there are standard values for the attribute autocomplete. To avoid having Chrome assuming the field before a password is an email field, use either one of the official values (e.g., tel for a phone number), or make up a value that does not exist on the list, but is also not off or false.

Google suggests you use one of the standard values with new- prepended to the value, e.g., autocomplete="new-tel". If you want a password field to not autocomplete, you can use autocomplete="new-password", for instance.

While technically you could of course make the attribute something random without context to the same effect (e.g. autocomplete="blahblahblah"), I recommend the new- prefix as it helps give any future developer working on your code some context of what you're accomplishing with this attribute.

Ref: https://html.spec.whatwg.org/multipage/forms.html#autofilling-form-controls:-the-autocomplete-attribute

dsuess · Answer 3 · 2016-10-30T13:35:37.547

9

Sometimes even autocomplete=off would not prevent to fill in credentials into wrong fields, but not user or nickname field.

Fix: browser autofill in by readonly-mode and set writable on focus

 <input type="password" readonly onfocus="this.removeAttribute('readonly');"/>

(focus = at mouse click and tabbing through fields)

Update: Mobile Safari sets cursor in the field, but does not show virtual keyboard. New Fix works like before but handles virtual keyboard:

<input id="email" readonly type="email" onfocus="if (this.hasAttribute('readonly')) {
    this.removeAttribute('readonly');
    // fix for mobile safari to show virtual keyboard
    this.blur();    this.focus();  }" />

Live Demo https://jsfiddle.net/danielsuess/n0scguv6/ // UpdateEnd

Explanation: Browser auto fills credentials to wrong text field?

@Samir: Chrome auto fills any input with a type of password and then whatever the input before it is

Sometimes I notice this strange behavior on Chrome and Safari, when there are password fields in the same form. I guess, the browser looks for a password field to insert your saved credentials. Then it autofills username into the nearest textlike-input field , that appears prior the password field in DOM (just guessing due to observation). As the browser is the last instance and you can not control it,

This readonly-fix above worked for me.

edited Oct 30 '16 at 13:35

answered Nov 14 '14 at 13:47

dsuess

4,769
2
20
21

and don't forget to add `input[readonly] { cursor: text; }` to your CSS – Juribiyan Jun 17 '16 at 16:58
1

@dsuess This solution works, but it brakes soft keyboard triggering on mobile-safari. Keyboard pop-up is not triggered by onfocus when input field is readonly. So this is the only workaround but it comes with a cost, the one that i am trying to solve right now – caniaskyouaquestion Oct 27 '16 at 07:06
@caniaskyouaquestion Thanks for pointing this out. Check out the updated script. – dsuess Oct 30 '16 at 13:39
1

This solution actually works. Unbelievable how something like autocomplete="off" doesn't work. When I am resetting password, I don't want to get the old password set into the field Google... – Bartando Jan 23 '19 at 21:34
This is an excellent implementation thank you saved me many a hour of searching! – d0rf47 Jan 05 '21 at 18:23

score 2 · Answer 4 · answered Feb 18 '19 at 18:07

fake inputs dont work
autocomplete="off" / "new-password" / "false" and so on dont work, chrome ingores them all

Solution that worked for us:

<script>
        $(document).ready(function(){

            //put readonly attribute on all fields and mark those, that already readonly
            $.each($('input'), function(i, el){
                if ($(el).attr('readonly')) {
                    $(el).attr('shouldbereadonly', 'true');
                } else {
                    $(el).attr('readonly', 'readonly');
                }
            });

            //Remove unnecessary readonly attributes in timeout
            setTimeout(function(){

                $.each($('input'), function(i, el){
                    if (!$(el).attr('shouldbereadonly')) {
                        $(el).attr('readonly', null);
                    }
                });

            }, 500);
        });
    </script>

Urgh! This should be the accepted answer - I have a page where chrome keeps clobbering a user-supplied token (not a password) with the wrong value and adapting this was the only thing that worked - thanks man! — Geoff Williams, Jun 12 '19 at 08:34

score 1 · Answer 5 · answered Aug 12 '14 at 19:09

I would make a hidden password field instead of disabling auto-fill for chrome. Disabling auto-fill for you doesn't disable it for everyone.

So i got this.

<input type="hidden" name="Password" id="Password" value="Password" /><br />

(If you're just looking to disable it for yourself, Then disable it using chrome's settings.)

How to disable it with chromes settings:

Click the Chrome menu Chrome menu on the browser toolbar.
Select Settings.
Click Show advanced settings and find the "Passwords and forms" section.
Deselect the "Enable Autofill to fill out web forms in a single click" checkbox.

Credits go to heinkasner for that one.

Other than those two methods, I don't think this is possible to disable it for all users.

Thanks for the reply, however this answer has already been suggested in other threads which I've linked to. My goal with this question was to attempt to find a clean solution and not a work-around. — Tyler, Sep 22 '14 at 10:00

score 0 · Answer 6 · answered Sep 12 '17 at 09:30

Chrome has updates, fake inputs are not working any more.

Chrome seems to remember everything after an success 200 net connection, whatever input[type=password] is activated on the screen will be remembered.

I've tried dynamically set the inputs to type text, clearing the contents, they don't always work, especially when there is a button to get verify code before submitting the form.

Finally, I figured it out:

listen to inputs focus and blur events,

everytime blur:

var psw1 = $('input[name=psw1]').val();
$('input[name=psw1]').val((new Array(psw1.length)).join('*'));
$('input[name=psw1]').attr('type', 'text');

everytime focus:

$('input[name=psw1]').attr('type', 'password');
$('input[name=psw1]').val(psw1)

the side effect is obvious, input's content would change every focus and blur event, but this method prevent chrome from remembering password perfectly.

score 0 · Answer 7 · answered Nov 15 '19 at 12:14

0

Opacity

We fixed this by adding a field and setting its opacity to 0. so chrome still think there is a field an filling it.

    width: 0px !important;
    height: 0px !important;
    opacity: 0 !important;

answered Nov 15 '19 at 12:14

bmavus

872
1
6
19

score 0 · Answer 8 · edited Oct 27 '20 at 14:43

0

I handle this problem with some simple js

<input type="password" name="password" class="autocomplete-off" readonly="readonly">

// autocomplete
$('input.autocomplete-off').click(function () {
    $(this).removeAttr('readonly');
});

edited Oct 27 '20 at 14:43

sikander

2,263
15
22

answered Jul 23 '20 at 05:31

Mahdi Bagheri

76
1
7

score 0 · Answer 9 · answered Oct 08 '20 at 13:00

0

I noticed that Chrome / FF browser ALWAYS auto-filled the text input immediately preceding the password field. So the simplest solution was to add a "dummy" input:

answered Oct 08 '20 at 13:00

Ian

339
1
3
7

Google chrome autofilling all password inputs

9 Answers9

Linked