This question already has answers here:
Disable browser 'Save Password' functionality
(35 answers)
Closed 9 years ago.
I have a web page that asks for a password. It is used my an admin no reset a users password, so I don't want the browser getting involved with remembering it.
At the moment (but only when the two passwords do not match) a dialog box appears asking "confirm password change", "please confirm which user you are changing the password for", then a list of passwords.
How can I allow an admin to enter a new user password (twice), with the display obfuscated, and the browser not "helping" by remembering the password?
I think is:
autocomplete="off"
as an attribute of the form or input element.
<form autocomplete='off'> or <input type='password' name='pwd' autocomplete='off'> should work on modern browsers - part of HTML5 new form attributes.
For old browsers you could randomise the name of the password input element so that any stored values are not used. New browsers will (I think) still populate the fields, and it doesn't stop the password from being stored on the machine.
At the end of the day, your admin staff need to know that they shouldn't save this password. Is there a second factor you could introduce to the process (e.g. text them a number to confirm the action)? Can you alter the domain policy to stop browsers saving passwords?
Add autocomplete="false" to the button markup, no matter if it's a server control or and input type="text" button
Example:
<input type="text" autocomplete="false" name="pwd">
EDIT
Reading your question again, if you use <input type="password"/> as you should, there should be no autocomplete/autosuggest from the browser. Can you post your code, please?
Related
Is there any way to stop this behavour?
<div class="form-group">
<label for="user-profile-name-input">Name</label>
<input type="text" id="user-profile-name-input" class="form-control" aria-describedby="name" placeholder="Name" value="...">
</div>
So every time a change anything is this input field and navigate to a new page within my website, the browser prompts me if I would like to update my username for the saved password of the site.
Is there any way to stop this behaviour?
I trying adding autocomplete=off but there was no change.
-----
UPDATE
Ok so I managed to figure it out. It was an error on my part. Keeping this post here incase anyone else encounters this issue.
I have a couple of bootstrap modals on the same page. One of them has a type=password input. Since these are not completely removed when hidden the browser still has a reference to the password input.
I removed the modal and the browser is no longer prompting for me to update my username to the saved password every time i change a value in an input field.
Make sure you dont have a hidden input "type=password" somewhere on your page.
What you're asking for cannot be done at a code level. The behavior you're experiencing is browser specific and is something that can only be turned off by the user themselves if they choose to.
An example of how you can turn it off in Chrome here.
The browser recognizes the input field as a password field and therefore prompts for a password save, since the browser does not have a password stored for that specific page. Clicking "Never" will only stop the prompt for that page specifically, and any future page will still continue to prompt you until you completely disable the feature.
There are some hacky, tacky solutions to your problem if you really wanna go about it - check this post for instance, or this one. However, I strongly recommend that you don't use them as they are detrimental to the user experience. Let the user decide whether they want the feature or not.
That's a default functionality provided by chrome to save your credentials while you enter your credentials in your account in browser and not to repeat the credentials when you are trying to re login. There's no way to stop it by using HTML code.
I have code to prevent password to autofill from browser, but I can not still prevent it for username textbox on the HTML page.
Here is the code for the password field on the page.
enter code here
<input type="text" name="abc" id="abc">
<style>
-webkit-text-security:desc;
</style>
Here this code makes my textbox looks alike as the password field, and it's working fine. Even browser doesn't ask for save passwords.
Please suggest me guys for username.
Autocomplete allows the browser to predict the value. When a user starts to type in a field, the browser should display options to fill in the field, based on earlier typed values.
Note: The autocomplete attribute works with the following types: text, search, url, tel, email, password, datepickers, range, and color.
<input type="text" name="test" autocomplete="off" />
Still there are some facts you need to know about this attribute , those are as below:
Firefox 30 ignores autocomplete="off" for passwords, opting to prompt the user instead whether the password should be stored on the client.
The password manager always prompts if it wants to save a password. Passwords are not saved without permission from the user.
According to Mozilla developer documentation the form element attribute autocomplete prevents form data from being cached in older browsers.
Also some chrome extensions also on automcomplete it self so when your testing this attribute just make sure you disable those extensions.
I found same type of question question1 and question2
that gave as autocomplete="off" but this solution didn't work for chrome-40(firefox, IE, Safari work fine)
note: I didn't post code herewith that is very basic html login page
I've successfully disabled Chrome 40 password save by putting the following code on the destination page, i.e. where the user ends up after submitting the form:
<form action="" method="POST" autocomplete="off">
<input type="password" name="password0" style="visibility: hidden">
</form>
Note that you have to use visibility: hidden in the CSS. Using display: none (or not having a password field at all) will not prevent password save. It's probably also necessary that the name of the password field matches the one on the form that the user submitted.
Also note that preventing users from saving web passwords is evil. I needed this because we allow users to change the password for a non-web based system via a web page, so saving the password makes absolutely no sense. For a normal web site you should not deprive users the right to save passwords.
For example:
<input value="userspassword" type="password"/>
I'm tempted to do this in certain situations on log in, sign up, edit account, etc pages. Should it never be done as it could be a security vulnerability?
edit: I'm not talking about as a placeholder, but as re-displaying a password the user entered on a form that didn't pass validation.
If you're just trying to use the password as part of a Sticky Form, that's fine if you are using SSL and POST.
In the registration page on the website I'm working on Firefox prompts the user if they want to save their password.
If the user chooses yes then the password is saved for the registration page which is quite useless considering that the login page is different, and that the browser will prompt the user again in the login page, which makes poor user experience.
Is there any way I can tell the browser that there is no need to save the password on the registration page?
You can use the following form tag ->
<form id="<someid>" action="<action>" method="<method>" autocomplete="off">
Not sure that all browsers support it -> https://developer.mozilla.org/En/How_to_Turn_Off_Form_Autocompletion
Well, I found a solution right after posting the question:
<form autocomplete="off">
disables prompting the user to remember the password, and turns off auto complete of fields which is a good idea for a registration form.
Try making the name and/or id/class of the password input something else than password, passwd, pass. I believe FF tries to recognize password fields by looking at their names.