How can disable autofill for username in html? - html

I have code to prevent password to autofill from browser, but I can not still prevent it for username textbox on the HTML page.
Here is the code for the password field on the page.
enter code here
<input type="text" name="abc" id="abc">
<style>
-webkit-text-security:desc;
</style>
Here this code makes my textbox looks alike as the password field, and it's working fine. Even browser doesn't ask for save passwords.
Please suggest me guys for username.

Autocomplete allows the browser to predict the value. When a user starts to type in a field, the browser should display options to fill in the field, based on earlier typed values.
Note: The autocomplete attribute works with the following types: text, search, url, tel, email, password, datepickers, range, and color.
<input type="text" name="test" autocomplete="off" />
Still there are some facts you need to know about this attribute , those are as below:
Firefox 30 ignores autocomplete="off" for passwords, opting to prompt the user instead whether the password should be stored on the client.
The password manager always prompts if it wants to save a password. Passwords are not saved without permission from the user.
According to Mozilla developer documentation the form element attribute autocomplete prevents form data from being cached in older browsers.
Also some chrome extensions also on automcomplete it self so when your testing this attribute just make sure you disable those extensions.

Related

Prevent autofill of passwords for all browsers

It's well documented that Chrome and Firefox ignore the standard autocomplete="off" attribute in html as they (Google) feel it wasn't being used correctly. They have even come up with workarounds and their own set of values for autofilling fields.
However, We need to prevent users passwords from being auto-filled for a website we're working on, and none of the suggestions put forward by Google appear to work.
The current situation on our website is that login names and passwords are stored by the browser, and so when a user visits the site and they're forced to login, their username and passwords are pre-populated in the relevant fields and they simply click the login button to login.
This has been deemed insecure, and while the infosec team are happy for the username to be pre-populated, they insist the password field is not.
To start with I tried adding the autocomplete="off" attribute to the password fields, but the password was still pre-populated. After some googling I found this link that shows Google decided to ignore this value and come up with a list of their own values for the autocomplete attribute...
Google ignores autocomplete="off"
They state that if we add our own, non-recognised value (such as autocomplete="please-dont-auto-fill-me") if shouldnt auto fill as it wouldnt know what that value is for.
However, I added something more meaningful - autocomplete="non-filled-value" - and it still populated the field. I've since tried a number of other things, such as renaming the password input control (removing the word "password" from the control name) etc and nothing seems to work. every time I load the login page, the password is pre-populated.
The issue I have is that my login form will be loaded on multiple browsers as different users from around the world login, and I need a solution that works for all browsers, not just Chrome.
Does anyone have any experience of this, and has a working solution for preventing fields being pre-populated/auto-filled that works cross browser? Everything I've tried (renaming fields, adding hidden fields, setting obscure autocomplete attribute values) fails to work, and whatever I try, the password is pre-populated.
Obviously, I have no control over the users actual browser settings and cant force them all to change their own personal settings.
New approach
I know how frustrating it is to try all solutions and seeing user and password fields ignore them.
Unforturnately, I haven't found a straightforward way of doing this, but I have a workaround for avoiding user password fields getting autofilled.
The problem
The main problem is that if you set input type="password", browsers automatically try fo autofill the field with saved passwords and users for the webapp, and nothing seems to work in order to stop it.
The solution
My approach is to avoid setting input type="passoword", but making the field look like a password field.
The way I found to achieve this was to build a font composed only by discs, so when you type anything in the input field, it looks like a password field, but you will never be prompted with saved user and password credentials.
I've tested this solution on Chrome, Firefox and Microsoft Edge, please let me know if is something worong with other browsers.
I know the solution is awful, but seems to work.
Link to the font, made by me using Font Forge: https://drive.google.com/file/d/1xWGciDI-cQVxDP_H8s7OfdJt44ukBWQl/view?usp=sharing
Example
Browsers will not fill in the input elements because none of them is type="password"
Place the .ttf file in the same directory where you create the following html file:
<!DOCTYPE html>
<html>
<head>
<title>Font Test</title>
</head>
<body>
<span>Name: </span><input type="text"/>
<span>Password: </span><input class="disk-font" type="text"/>
</body>
<style>
#font-face {
font-family: disks;
src: url(disks.ttf);
}
.disk-font{
font-family: disks;
}
</style>
</html>
Hope this is helpful, feel free to comment any issue.
Actually, i've recently faced this issue, and a workaround which worked form me is just setting the value as an empty string on a method (can be onload, for example if the input is in your main screen). Would be something like:
let login = document.querySelector('#inputLogin');
let password = document.querySelector('#inputPassword');
function someFun () {
login.value = '';
password.value = '';
}
Also I've already tried to put autocomplete="false" but didn't work.
As explained in this MDN article, autocomplete="off" will be ignored for password auto-fill, but autocomplete="new-password" is likely to work, though it carries additional semantic information:
If you are defining a user management page where a user can specify a new password for another person, and therefore you want to prevent autofilling of password fields, you can use autocomplete="new-password".
This is a hint, which browsers are not required to comply with. However modern browsers have stopped autofilling elements with autocomplete="new-password" for this very reason. For example, Firefox version 67 (see bug 1119063) stopped autofilling in this case; however, Firefox 70 (see bug 1565407) can suggest securely-generated passwords, but does not autofill a saved password. See the autocomplete compat table for more details.

HTML input field triggering update username for saved password prompt

Is there any way to stop this behavour?
<div class="form-group">
<label for="user-profile-name-input">Name</label>
<input type="text" id="user-profile-name-input" class="form-control" aria-describedby="name" placeholder="Name" value="...">
</div>
So every time a change anything is this input field and navigate to a new page within my website, the browser prompts me if I would like to update my username for the saved password of the site.
Is there any way to stop this behaviour?
I trying adding autocomplete=off but there was no change.
-----
UPDATE
Ok so I managed to figure it out. It was an error on my part. Keeping this post here incase anyone else encounters this issue.
I have a couple of bootstrap modals on the same page. One of them has a type=password input. Since these are not completely removed when hidden the browser still has a reference to the password input.
I removed the modal and the browser is no longer prompting for me to update my username to the saved password every time i change a value in an input field.
Make sure you dont have a hidden input "type=password" somewhere on your page.
What you're asking for cannot be done at a code level. The behavior you're experiencing is browser specific and is something that can only be turned off by the user themselves if they choose to.
An example of how you can turn it off in Chrome here.
The browser recognizes the input field as a password field and therefore prompts for a password save, since the browser does not have a password stored for that specific page. Clicking "Never" will only stop the prompt for that page specifically, and any future page will still continue to prompt you until you completely disable the feature.
There are some hacky, tacky solutions to your problem if you really wanna go about it - check this post for instance, or this one. However, I strongly recommend that you don't use them as they are detrimental to the user experience. Let the user decide whether they want the feature or not.
That's a default functionality provided by chrome to save your credentials while you enter your credentials in your account in browser and not to repeat the credentials when you are trying to re login. There's no way to stop it by using HTML code.

How to avoid save password in chome 40?

I found same type of question question1 and question2
that gave as autocomplete="off" but this solution didn't work for chrome-40(firefox, IE, Safari work fine)
note: I didn't post code herewith that is very basic html login page
I've successfully disabled Chrome 40 password save by putting the following code on the destination page, i.e. where the user ends up after submitting the form:
<form action="" method="POST" autocomplete="off">
<input type="password" name="password0" style="visibility: hidden">
</form>
Note that you have to use visibility: hidden in the CSS. Using display: none (or not having a password field at all) will not prevent password save. It's probably also necessary that the name of the password field matches the one on the form that the user submitted.
Also note that preventing users from saving web passwords is evil. I needed this because we allow users to change the password for a non-web based system via a web page, so saving the password makes absolutely no sense. For a normal web site you should not deprive users the right to save passwords.

Why is Google Chrome autocomplete not disabled in this example?

Here is a rough "save as" from a basic contact details web app that I am using:
http://dtbaker.net/files/webfiles/auto-complete-issues.html
Whenever I am on a "contact" page it puts my saved username into the "new group" box and my saved password into the "set password" box, as shown in this screenshot:
As you can see in the HTML code linked above, the non-standard autocomplete=off attribute is used on the "group" input box:
<input type="text" name="group_module_name[user][new]" autocomplete="off">
and it's even in the password input box:
<input type="password" name="password_new" autocomplete="off" value="">
The problem here is that every time I click "Save Contact" it will overwrite this contacts password with my saved password and create a new Contact Group named the same as my username.
Ideas anyone?
The reason browsers are ignoring autocomplete=off is because there have been some web-sites that tried to disable auto-completing of passwords.
That is wrong; and in July 2014 Firefox was the last major browser to finally implement the change to ignore any web-site that tries to turn off autocompleting of passwords.
Bugzilla Bug 956906 - ignore autocomplete="off" when offering to save passwords via the password manager
Reddit discussion
Chrome's announcement when they began ignoring autocomplete=off
Any attempt by any web-site to circumvent the browser's preference is wrong, that is why browsers ignore it. There is no reason known why a web-site should try to disable saving of passwords.
Chrome ignores it
Safari ignores it
IE ignores it
Firefox ignores it
What if I'm a special snowflake?
There are people who bring up a good use-case:
I have a shared, public area, kiosk style computer. We don't want someone to (accidentally or intentionally) save their password so they next user could use it.
That does not violate the statement:
Any attempt by any web-site to circumvent the browser's preference is wrong
That is because in the case of a shared kiosk:
it is not the web-server that has the oddball policy
it is the client user-agent
The browser (the shared computer) is the one that has the requirement that it not try to save passwords. The correct way to prevent the browser from saving passwords, is to configure the browser to not save passwords. Since you have locked down and control this kiosk computer: you control the settings. That includes the option of saving passwords.
In Chrome and Internet Explorer, you configure those options using Group Policies (e.g. registry keys).
From the Chrome Policy List:
AutoFillEnabled
Enable AutoFill
Data type: Boolean (REG_DWORD)
Windows registry location: Software\Policies\Chromium\AutoFillEnabled
Description: Enables Chromium's AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information. If you disable this setting, AutoFill will be inaccessible to users. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.
If you want your browser to stop autocompleting entries, then you need to configure your browser to match your preferences. No web-site, or security auditor, should attempt to force their opinions on me. There is no reason why my browser, sitting in my home, under my lock and key, should be prevented from saving anything i want - it's my browser.
Please pass the word that trying to disable autocompleting of password is wrong, browsers are intentionally ignoring anyone who tries to do it, and they should stop doing the wrong thing.™
I Fixed issue by adding dummy input field with dynamic name and ID
<input type="password" id="dummytoavoidAutoFill<?php echo date('ljSFYhisA');?>" name="dummytoavoidAutoFillFBN" value="" style="display:none;"/>

Web page password field, that is not remembered by browser [duplicate]

This question already has answers here:
Disable browser 'Save Password' functionality
(35 answers)
Closed 9 years ago.
I have a web page that asks for a password. It is used my an admin no reset a users password, so I don't want the browser getting involved with remembering it.
At the moment (but only when the two passwords do not match) a dialog box appears asking "confirm password change", "please confirm which user you are changing the password for", then a list of passwords.
How can I allow an admin to enter a new user password (twice), with the display obfuscated, and the browser not "helping" by remembering the password?
I think is:
autocomplete="off"
as an attribute of the form or input element.
<form autocomplete='off'> or <input type='password' name='pwd' autocomplete='off'> should work on modern browsers - part of HTML5 new form attributes.
For old browsers you could randomise the name of the password input element so that any stored values are not used. New browsers will (I think) still populate the fields, and it doesn't stop the password from being stored on the machine.
At the end of the day, your admin staff need to know that they shouldn't save this password. Is there a second factor you could introduce to the process (e.g. text them a number to confirm the action)? Can you alter the domain policy to stop browsers saving passwords?
Add autocomplete="false" to the button markup, no matter if it's a server control or and input type="text" button
Example:
<input type="text" autocomplete="false" name="pwd">
EDIT
Reading your question again, if you use <input type="password"/> as you should, there should be no autocomplete/autosuggest from the browser. Can you post your code, please?