autocomplete="off" input type "password" is required? Why?

Asked

Viewed 553 times

3

One of the systems I work on was analyzed by a security team and among some security practices they recommended was the inclusion of autocomplete="off" in elements input of the kind password.

I wonder if this procedure would be unnecessary, since browsers already "know" that this is a password input field and probably (I think) they will not enable the autocomplete.

Example:

<input type="password" name="password" autocomplete="off">

inserir a descrição da imagem aqui

1 answer

1


Some browsers implement password management; when it enters a password in the form the browser gives the option to save it, when the site is visited again, the field is auto-populated. On top of that, the browser allows the user to choose a "master password" that will be used to encrypt the stored data.

Therefore, some browsers do not support the autocomplete="off".

  1. If you set the autocomplete in a password field for example, the browser will allow the user to save the password for the next time the user visits the page. Here’s why some browsers don’t work.
  2. This occurs in Firefox (since version 38), Google Chrome (since 34) and Internet Explorer (from version 11).

In some cases, the browser will keep the autocomplete to complete automatically, even if the attribute is set to off.

The correct thing your security team should recommend is autocomplete="nope". Since this random value is not a valid value, then the browser will give up filling it.

This is a unique customer issue, if the client selects save password, the browser will give priority to it.

Really this is debatable. I will be doing a wider reading and will be editing this answer.

Libraria:

Security - Mozilla

Browser other questions tagged

You are not signed in. Login or sign up in order to post.