I was design a login form for my website. As part of security improvement for the application, I need to turn off autocomplete for the password field. To be more specific I need to prevent browser from saving the password. I followed the traditional way by turning off form autocomplete. But unfortunately it’s not working.
The following bullet points are my findings.
- The ability for websites to disable the password manager using autocomplete = “off” is being removed in Firefox 30 (bug 956906)
- The bug is resolved in IE 9 onwards.
- Chrome now ignores
autocomplete='off'by default (issue 177288). This has been discussed in several places .
Most of the modern browser drops the support for the autocomplete for the password field.This is mainly due to security threats.
Now the developers have the challenge to turn off autocomplete for the password field. I have reviewed few documents and notes. Finally I found few work around.
- Option 1: One step login process. Use multiple input text/password combination in the login form, It will confuse browser, so the username field and password field are in a single login form.
<form> <input type="text" id="txtUserName"/> <input type="hidden" id="txtHidden" /> <input type="password" id="txtPassword"/> </form>
- Option 2: Two step login process. Like Google implemented for their account login. You need to ask username on one page after validation user name the page is redirected to password page. Two pages for login below is the new Google login screen shot.
I always recommend option 2, as I experiment all three options. Be safe don’t allow anyone to store or steal your password anywhere on web. Safety first
Wish you happy coding.