Prevent browser from remembering credentials (Password)

Asked 15/7, 2015 at 19:10 Answered 6/9, 2019 at 14:33

Solved javascript angularjs passwords pug privacy

Is it possible after processing any login Form to prevent the browser from offering the option to remember the password?

I know it's been asked and answered here but none of the answers have worked so far, even one of them suggested using:

autocomplete="off"

But that also didn't worked.

I'm using AngularJS and Jade as templating engine (not sure if relevant or not anyhow), is there any way to do this?

Disposition answered 15/7, 2015 at 19:10 Comment(4)

Not possible since i have no access at the moment to modify the controllers scope or the services on the backend, actually they are not named as password or email, just pss and usrnme – Disposition 15/7, 2015 at 19:17

Why do you need this functionality? If it is only to ensure that the inputs are empty, you could manually clear them within your controller? Although this behaviour would be confusing for the user, so not really recommended. – Kussell 15/7, 2015 at 19:23

Check these: #32869 #468788 – Raffinose 15/7, 2015 at 19:24

It's probably going to be hard to give a highly robust, cross-browser, future-proof solution to changing browser behavior. If you desperately want to accomplish this, you'd probably have to resort to creating a custom UI element that looks like a password box to the user, but wouldn't be recognizable by the browser as such. Since you're using Angular, you could probably make a custom directive with $formatters, etc. from the ngModelController to effect the character masking. Yeah, it sounds like an ugly hack, but I can't think of a truly good solution I would trust. – Manservant 15/7, 2015 at 19:25

if a site sets autocomplete="off" for a form, and the form includes username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits this page.

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

You should also set autocomplete="off" on your input as well as your form.

Google Chrome release notes:

The Google Chrome UI for auto-complete request varies, depending on whether autocomplete is set to off on input elements as well as their form. Specifically, when a form has autocomplete set to off and its input element's autocomplete field is not set, then if the user asks for autofill suggestions for the input element, Chrome might display a message saying "autocomplete has been disabled for this form." On the other hand, if both the form and the input element have autocomplete set to off, the browser will not display that message. For this reason, you should set autocomplete to off for each input that has custom auto-completion.

Femoral answered 15/7, 2015 at 19:20 Comment(1)

If an author would like to prevent the autofilling of password fields in user management pages where a user can specify a new password for someone other than themself, autocomplete="new-password" should be specified, though support for this has not been implemented in all browsers yet.

Took me a while to realize why it didn't work. – Redon 24/1, 2017 at 11:39

I would suggest using Javascript to create a random number. Pass that random number to your Server Action using a hidden field, then incorporate that random number into the names of the "login" and "password" fields.

E.g. (psuedo code, the exact syntax depends on whether you use PHP, jQuery, pure Javascript, etc.)

<script>
var number = Math.random();
var login_name = 'name_'+number;
var pass_word = 'pass_'+number;
</script>
<input name='number' value="number" type='hidden'>
<input name="login_name" type='text'>
<input name="pass_word" type='password'>

Your server reads the "number" field, then uses that to read "name_"number value and "pass_"number value.

It won't matter whether or not the user saves their password in the browser, since every time the user logs in, the name and password fields will be different.

Dupont answered 23/3, 2016 at 22:16 Comment(1)

With most modern browsers ignoring the auto-complete value for password inputs, this idea sounds like the way to go. – Roth 17/5, 2016 at 13:32

The problem I have is that while I understand the 'annoyance' to a user in not being able to have their browser remember their password and I don't want to 'disable' that feature completely, there are times when I want to disable it for just a certain password field. Example for me being a 'reset your password' dialogue box.

I want to force them to have to re-enter their old password and then of course type the new one twice.

It's been my experience that no matter what I name that 'old' password input, it is auto-filled with the 'remembered' password (in Firefox 49.0.1 anyway). Maybe this is where I'm getting this wrong, but it just fills it no matter the fact that this input's name is different from saying the login input field.

The behavior I see is basically that the browser seems to say "This user has remembered a password for this site, so now just fill every input type='password' box with that password no matter the name. It seems to me that this should be based on the name attribute, but for me (on multiple sites I've worked on) this just does not seem to be the case.

My solution:

Color this password field to the same color as the background of your input so the 'password dots' is essentially invisible on page load.
onload, onblur, after a timeout, or however you want to do it, use JQuery or JS to set the value of that password field to nothing (blank), then set the color of the field to whatever it is supposed to be.
```
$("#old_password").val('').css('color','black);
```

Feoffee answered 8/10, 2016 at 16:9 Comment(0)

Since you're using AngularJS, you can leave the field unnamed, and access the data it contains through the model :

Login: <input ng-model="login" type="text" />
Password: <input ng-model="password" type="password" autocomplete="off" />

and in your javascript file :

$scope.doLogin = function() {
    var dataObj = {
        login: $scope.login,
        password: $scope.password
    };
    var res = $http.post('/login', dataObj);
}

Tested in IE10 and Chrome 54

Subterranean answered 14/10, 2016 at 14:21 Comment(0)

This post is little bit old now, but sincce I found a solution that works for me (at least with Chrome version 56), I'll share it here.

If you remove name and password attributes on your input, then Chrome won't ask to save the password. Then you just have to add the missing attributes by code just before submitting the form:

<!-- Do not set "id" and "name" attributes -->
Login: <input type="text">
Password: <input type="password">
<!-- Handle submit action -->
<input type="submit" onclick="login(this)">

Then in Javascript:

function login(submitButton) {
    var form = submitButton.form;
    // fill input names by code before submitting
    var inputs = $(form).find('input');
    $(inputs[0]).attr('name', 'userName');
    $(inputs[1]).attr('name', 'password');
    form.submit();
}

I hope this will help. Tested on Chrome 56 only.

Peek answered 14/3, 2017 at 9:1 Comment(0)

I've discovered that Firefox 52.0.2 is incredibly determined to remember the autocompletion values. I tried almost everything suggested above, including changing the name attributes to random values. The only thing that is working for me is setting the values to "" with Javascript after the browser has had its way with the form.

My use case is lucky in that I do not have to resort to CSS tricks to prevent a confusing and/or annoying flash of autocompleted form values (as proposed by @MinnesotaSlim above) because my form is hidden until they click a button; then it's displayed via a Bootstrap modal. Hence (with jQuery),

$('#my-button').on("click",function(){        
   $('#form-login input').val("");
});
// this also works nicely
$('#my-modal').on("show.bs.modal",function(){
    $('#form-login input').val("");
})

And I imagine you might be able to get the same effect by having your form initially hidden, and in your document load event, manually override the browser and then display the form.

Mai answered 9/5, 2017 at 15:56 Comment(0)

For me, the only solution that reliably worked was to empty username and password input element just before submitting form combined with replacing submit button for the regular button with onclick handler. NOTE: We use Microsoft MVC so we needed to populate ViewModel with entered credentials. Therefore we created hidden input elements bound to model and copied credential values to them before emptying visible inputs.

<form>
<input id="UserName" name="UserName" type="hidden" value="">
<input id="Password" name="Password" type="hidden" value="">
</form>

<input id="boxUsr" name="boxUsr" type="text" value="" autocomplete="off">
<input id="boxPsw" name="boxPsw" type="password" autocomplete="off">
<input type="submit" value="Login" onclick="javascript:submitformforlogin()">

   function submitformforlogin() {
        $("[name='boxPsw'],[name='boxUsr']").attr('readonly','true');
        var psw = document.getElementsByName('boxPsw')[0];
        var usr = document.getElementsByName('boxUsr')[0];
        if (psw.value != "false") {
            $('#Password').val(psw.value);
            $('#UserName').val(usr.value);
            psw.value = "";
            usr.value = "";
            $("form").submit();
        } else
            window.alert("Error!");
    }

Allegory answered 6/9, 2019 at 14:33 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags