How can I stop the password field being pre-populated on edit?

Asked 14/10, 2009 at 16:25 Answered 9/9, 2013 at 8:58

Solved ruby-on-rails forms webforms actionview actionviewhelper

I have this problem all the time in my rails apps and I still need the correct solution. Whenever a user edits their own record the password field is being populated. I suspect its Firefox as setting @user.password = nil in the edit action doesn't help.

The problem is the password confirmation isn't populated so validation fails due to a miss-match.

I've tried the following:

<%= f.label :password %>
<%= f.password_field :password, :value => "", :autofill => false, :class => 'max' %>

But that doesn't do it. I've also tried :autofill => 'off' which doesn't work either.

Does anybody have any suggestions? Thanks.

Derange answered 14/10, 2009 at 16:25 Comment(0)

Set autocomplete="off" in the form and the input tags

<form name="blah" autocomplete="off">
<input type="password" autocomplete="off">
</form>

Exaggerate answered 14/10, 2009 at 16:44 Comment(3)

In Ruby for copy and paste lazy people like me: <%= form_for(user, :html => { autocomplete: "off" }) do |f| %> – Overtone 12/6, 2013 at 20:10

This solution does not work with old browsers, like ie7 or ie8 – Orndorff 6/11, 2014 at 16:38

This doesn't work for me (chrome 47.0) but for more details see developer.mozilla.org/en-US/docs/Web/Security/… – Wail 7/1, 2016 at 12:56

The line f.password_field :password, :value => '' didn't work for me (on rails 3.1). Although I coud empty the field with f.password_field :password, :value => nil.

Regards

Tailor answered 6/11, 2011 at 0:27 Comment(0)

There are two solutions:

tell firefox not to fill those fields;
give password field a different name from "password".

Enloe answered 14/10, 2009 at 16:33 Comment(1)

1. I cannot control the user. 2. Great idea which I'm sure would work, however I would have to modify the password field in quite a few projects, some with AuthLogic, some with RA etc etc. – Derange 15/10, 2009 at 8:36

The HTML options are in their own hash so the syntax should look like this

<%= f.password_field :password, { :value => '' } %>

This should replace the value attribute in the response HTML.

Paulin answered 14/10, 2009 at 18:56 Comment(4)

Thanks for the response although the syntax is perfectly valid as it is. The list of parameters after the method are still a hash without or without the brackets. Look at these examples: apidock.com/rails/ActionView/Helpers/FormHelper/password_field – Derange 15/10, 2009 at 8:31

When last parameter is an hash, brackets are optional; neither mandatory nor forbidden. – Enloe 15/10, 2009 at 8:45

True enough, thanks for pointing out my own syntactic hangup. The :value => '' should be all that is needed though. – Paulin 15/10, 2009 at 18:34

Thank you! This should be marked as the correct answer (for Rails 3.2.x), because RoR's built in <%= form_for(@model) do |f| %> ... does not accept :autocomplete => "off" directives. – Inca 10/7, 2013 at 13:43

As a field option, you can pass it like this

<%= f.password_field :password, {:autocomplete =>"off"}  %>

Becerra answered 9/9, 2013 at 8:58 Comment(0)

Recommended topics

Hot tags