3
One of the systems I work on was analyzed by a security team and among some security practices they recommended was the inclusion of autocomplete="off" in elements input of the kind password.
I wonder if this procedure would be unnecessary, since browsers already "know" that this is a password input field and probably (I think) they will not enable the autocomplete.
Example:
<input type="password" name="password" autocomplete="off">
1
Some browsers implement password management; when it enters a password in the form the browser gives the option to save it, when the site is visited again, the field is auto-populated. On top of that, the browser allows the user to choose a "master password" that will be used to encrypt the stored data.
Therefore, some browsers do not support the autocomplete="off".
In some cases, the browser will keep the autocomplete to complete automatically, even if the attribute is set to off.
The correct thing your security team should recommend is autocomplete="nope". Since this random value is not a valid value, then the browser will give up filling it.
This is a unique customer issue, if the client selects save password, the browser will give priority to it.
Really this is debatable. I will be doing a wider reading and will be editing this answer.
Libraria:
Browser other questions tagged html
You are not signed in. Login or sign up in order to post.