How to avoid username/password autofill within a form in Chrome?

Asked 29/8, 2014 at 13:40 Answered 16/5 at 5:19

I have an admin form with username and password fields that is being filled in by Chrome as it has a username and password remembered. I would like to prevent these fields to be automatically filled. I did lots of search and already tried the autocomplete tag (in input and form), displany:none in style tag and the javascript call to dissabled autocomplete... and nothing of these worked.

Can you please give me a hand?

Thanks!

Brocket answered 29/8, 2014 at 13:40 Comment(2)

That's a tricky one as various valid answers became obsolete with newer versions of chrome. If none of the solutions you found did actually work (you seem to have tried a lot), I would suggest to use a random name for thoses fields and store those random names in a hidden field you POST together with the form so that you know how your username/password fields were actually named... – Quevedo 29/8, 2014 at 13:50

That is a good point Bartdude, infact I was considering changing those names – Brocket 29/8, 2014 at 14:19

link to gist https://gist.github.com/runspired/b9fdf1fa74fc9fb4554418dea35718fe

<!--
  <form autocomplete="off"> will turn off autocomplete for the form in most browsers
  except for username/email/password fields
  -->
<form autocomplete="off">

  <!--  fake fields are a workaround for chrome/opera autofill getting the wrong fields -->
  <input id="username" style="display:none" type="text" name="fakeusernameremembered">
  <input id="password" style="display:none" type="password" name="fakepasswordremembered">

  <!--
    <input autocomplete="nope"> turns off autocomplete on many other browsers that don't respect
    the form's "off", but not for "password" inputs.
  -->
  <input id="real-username" type="text" autocomplete="nope">

  <!--
    <input type="password" autocomplete="new-password" will turn it off for passwords everywhere
    -->
  <input id="real-password" type="password" autocomplete="new-password">

</form>

Ipsus answered 24/6, 2017 at 12:37 Comment(1)

great lol now we're setting honey pots against Google Chrome... something is wrong with this world – Goldshell 10/6, 2019 at 17:6

I found a work around for chrome. I have not tried this on any other browser. Load the password field as a type="text" then when the page is finished loading change the type to password chrome will not autofill the username and password.

<input type="text" name="newPassword" id="newPassword" value="" class="form-control" autocomplete="off">
<script type="text/javascript">
$(document).ready(function(){
    $('#newPassword').attr('type', 'password');
});
</script>

Wawro answered 9/12, 2015 at 21:48 Comment(0)

The reason browsers are ignoring autocomplete=off is because there have been some web-sites that tried to disable auto-completing of passwords.

That is wrong; and in July 2014 Firefox was the last major browser to finally implement the change to ignore any web-site that tries to turn off autocompleting of passwords.

Any attempt by any web-site to circumvent the browser's preference is wrong, that is why browsers ignore it. There is no reason known why a web-site should try to disable saving of passwords.

Chrome ignores it
Safari ignores it
IE ignores it
Firefox ignores it

What if I'm a special snowflake?

There are people who bring up a good use-case:

I have a shared, public area, kiosk style computer. We don't want someone to (accidentally or intentionally) save their password so they next user could use it.

That does not violate the statement:

Any attempt by any web-site to circumvent the browser's preference is wrong

That is because in the case of a shared kiosk:

it is not the web-server that has the oddball policy
it is the client user-agent that has the oddball policy

The browser (the shared computer) is the one that has the requirement that it not try to save passwords.

The correct way to prevent the browser from saving passwords
is to configure the browser to not save passwords.

Since you have locked down and control this kiosk computer: you control the settings. That includes the option of saving passwords.

In Chrome and Internet Explorer, you configure those options using Group Policies (e.g. registry keys).

From the Chrome Policy List:

AutoFillEnabled

Enable AutoFill

Data type: Boolean (REG_DWORD)

Windows registry location: Software\Policies\Chromium\AutoFillEnabled

Description: Enables Chromium's AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information. If you disable this setting, AutoFill will be inaccessible to users. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.

Please pass the word up to corporate managers that trying to disable autocompleting of password is wrong. It is so wrong that browsers are intentionally ignoring anyone who tries to do it. Those people should stop doing the wrong thing.™

tl;dr: My browser is going to remember my login for your web-site. If you don't like it: that's your problem. I will not sacrifice my preferences for yours.

Put it another way

There is a lot of confusion, or disagreement, on these points. Let me clarify, and put it as plainly as i possibly can:

if i want to save my HIPPA password: that's my right
if i want to save my PCI password: that's my right
if i want to save the "new password for the user": that's my right
if i want to save the one-time-password: that's my right
if i want to save my "first color's favorite maiden" answer: that's my right.

It's not your job to over-rule the user's wishes. It's their browser; not yours.

And if i don't want the value saved, i will click Nope:

Neither you, nor your managers, nor HIPPA, nor the EU, nor the GDPR, get to over-rule my wishes. It's my browser. I'm the user. I'm in charge.

If you have a different opinion
on how your browser should behave
then you
can configure your browser
to suit your personal preferences

But you don't get to impose them on anyone else.

But it's a HIPPA-PCI-GDPR-PII violation if we allow passwords to be saved. We need auto-filling turned off!

No, you don't. I'm right. You're wrong. And every browser agrees with me. If you don't like something, i suggest you talk to a therapist about it.

Advised answered 11/2, 2015 at 14:40 Comment(39)

Actually, I think autocomplete makes it staggeringly easy for anyone who steals a computer to gain access to each and every site with a username and password log in. Type in a single letter a-b-c- until the autocomplete shows you a username that has been entered before. Select it and the password will autofill. That is why corporate managers should let you disable AutoFill - and if you have used Google Chrome recently, you'll know that the Autofill has a (very persistent, and usually very mistaken) mind of its own. – Jim 10/9, 2015 at 16:10

@GeoffKendall Stored credentials are encrypted with the user's Windows password. Unless they know your Windows password, they cannot steal your site passwords. – Advised 10/9, 2015 at 18:11

@GeoffKendall only if you don't have your computer PW protected or without disk encryption. In that case, you're effed anyway. really bad practice to disable it. you should be going out of your way to make sure it works. – Po 8/12, 2016 at 22:3

@Ian Boyd and FlavorScape ...or they walk up to your logged-in machine and start using it? – Jim 9/12, 2016 at 13:26

@GeoffKendall If a user leaves their machine/Pgp/TrueCrypt/Veracrypt/Keepass/1Password/PasswordSafe/LastPass unlocked and then walks away: the problem is with the user. Encryption only works when used. And, if the user doesn't want to use a password manager that is their decision - not the web-site's. – Advised 9/12, 2016 at 21:42

@Ian Boyd Not really. An example: step across to refill your glass of water. Boss sees you and calls you over to meet important client. Discussion moves into another room and you are part of it. The auto entering of usernames and consequent entering of passwords means users only have 'fail-dangerous' protection. It'd be far better if username and passwords had to be known for anyone to gain access. There are all sorts of situations in which you can avoid danger if you are perpetually vigilant and able to be entirely focused - it's better when you don't need to be, and remain safe nonetheless. – Jim 14/12, 2016 at 11:1

@GeoffKendall If you don't want your web-browser auto-filling your passwords, then you tell your web-browser not to save your passwords. Don't you try to tell my web-browser that it cannot save my passwords on my computer. If you don't like passwords being saved, because you are unable to lock your machine when you walk away, then don't use it. You have the ability to not use it. You have the group policy to disable it. Web-site authors tried to take away my ability to exercise my personal preference; that is why the feature is gone and not coming back – Advised 14/12, 2016 at 14:56

@GeoffKendall If you don't want anyone gaining illicit access to your websites: you should not tell them your password. – Advised 12/7, 2017 at 18:34

In my case I really need to turn it off. The user must login to my server, and it saves the credentials for my server (this is fine). Part of what my server does allows users to present data with user specified credentials that are most likely different than what they use to log into my server. In this case the autofill is completely wrong, and it is not obvious to the user that it is wrong. – Foothold 1/10, 2018 at 15:40

@Foothold Then it's out of your hands. If the users choose to save passwords: they have to accept the fact that the passwords will be saved. I release you from your torment. – Advised 3/10, 2018 at 14:16

@IanBoyd 1) I don't think you understand my statement. 2) I think saving the password is great. 3) It fills in the wrong password. 4) Here are the details, in maybe a more understandable way: My page has fields for a user to login to it (the credentials for this are autofilled in correctly - yay!), but the page has a list of sites that my page is managing, each one has its own credentials (these credentials are autofilled incorrectly - dang! - autofill uses the credentials for my page instead of the specific credentials for each of the sites it is managing). I wish it could handle it. – Foothold 3/10, 2018 at 16:20

So it would be great if it could handle it, but instead it populates a bunch of credential boxes with the wrong information, and the user has no obvious way to know what the problem is until it is too late. – Foothold 3/10, 2018 at 16:22

@Foothold Change the UI so the boxes are type=text rather than type=password. – Advised 3/10, 2018 at 18:7

Your rant was informative but ultimately useless. Chrome is filling in the wrong fields and it's breaking my website. The field isn't named "UserName" and isn't type=password but it's still putting in the users username consistently. So your browser is being stupid and it should stop doing the wrong thing.™ – Weary 6/11, 2018 at 21:42

Chrome assumes that the field directly above any "password" field is the username. Since this isn't always true you need to trick chrome by adding a hidden field (using opacity so it thinks it is there) so that it will dump the username into something that won't break other functionality. – Weary 6/11, 2018 at 21:55

"What if I'm a special snowflake?" <- there are perfectly valid uses cases, there's no need to be insulting & condescending. I have forms that are just a text input & obfuscated "password" input that are NOT login forms & need to find a way to stop browsers as treating these as login forms. The password are not passwords, but single use codes that should not be remembered & are NOT a login to the site, so having the browser filling the user's login is a pain. You do not provided a solution, just insult ppl who are having this problem, so I have downvoted this answer. – Decca 14/3, 2022 at 12:2

@JamesStevens Did you try turning off input=password and instead change it to input=text on your fields that contain single-use codes? Also, have you tried clicking No when it asks if you want to save the code? My concern is that if the web-site disabled auto-saving of a one-time-use token, that my browser might then not try to fill the same one-time use token from the last time. – Advised 14/3, 2022 at 13:58

So my form takes only a key-name (plain text) & key (its a PSK, so I want this obfuscated). Chrome was always treating this as a login form & entering the user's login details. Adding autocomplete="new-password" on the PSK (password) input stop chrome from doing this (for me). Another work round is to have a second pair of inputs, before the real ones, but place them off-screen (x=-100,y=-100) - if you just hide them (display:none) chrome isn't fooled – Decca 15/3, 2022 at 15:30

the issue is that NOT all forms that contain a type=password input are actually asking for a password. You might use it for LOTS of different reasons, like I have for the user to enter a PSK, say, for setting up a VPN authentication or DNS zone transfer (TSIG). I do a lot of web interfaces to server management. Saying "just don't use an obfuscated input" is NOT a solution. It's not the saving I have a problem, its the pre-filling with the user's login details for something that is NOT a login form, it just happens to have an obfuscated input & the only way to do that is type=password – Decca 15/3, 2022 at 15:37

"My concern is that if the web-site disabled auto-saving of a one-time-use token, that my browser might then not try to fill the same one-time use token from the last time" <- you DON'T want the same ONE-TIME code entered more than once, the clue is in the name - they are single use code, they only work ONCE, so you would NEVER want the same ONE-TIME code entered for a second time – Decca 15/3, 2022 at 15:39

@JamesStevens "You DON'T want the same ONE-TIME code entered more than once, the clue is in the name - they are single use code, they only work ONCE, so you would NEVER want the same ONE-TIME code entered for a second time." That's fine for your opinion in your browser, when you browse the web-site, on your computer. But you won't be inflicting your opinion on my browser, when i'm browsing the web-site, on my computer. If you don't want your browser to save it, i explain how to click the "Nope" button here – Advised 15/3, 2022 at 18:9

@JamesStevens Did you try turning off input type='password' and instead change it to input type='text' on your fields that contain single-use codes - so that the browser doesn't try to hide, mask, or otherwise obfuscate the OTP? – Advised 15/3, 2022 at 18:13

You continue to not solve my problem, but just insist you are right (in insulting people who have different use cases). Just cos you are failing to understand my use case doesn't make you right. Not all forms with a type=password field are logins to that web site, that's a fact, & for the browser to assume they are & fill in the login details IS over-reach on its part. The fact you can't understand this is your failing. – Decca 16/3, 2022 at 19:41

@JamesStevens Well here's the thing, and there's no way around this: i am right. And every browser vendor agrees with me. Because what you want to do is wrong. What you want to do is take away the user's choice. So all i can do is tell you what you should be doing. It's like the developers who are upset that their code is unable to perform tasks that require administrative privilege because the user is not an administrator. You can hate the situation as much as you want, but in the end: we are where we are. Browsers do not let you override the user's wishes - no matter how much you hate it. – Advised 18/3, 2022 at 16:25

So the question is: what are you going to do with this knowledge? Or are you going to continue to be upset about it. Or are you going to accept that you don't get to impose your opinions on your users, and move on. – Advised 18/3, 2022 at 16:26

it's not a login form, it shouldn't be pre-filled with the site's login details. Period. Assuming every single form that has one hidden field & at least one non-hidden field is a login form & pre-filling the fields with the site's stored login details is over-reach. – Decca 7/4, 2022 at 14:56

@JamesStevens How do you define "not a login form"? For example, Microsoft's login system uses one page for your username, then you click Next and you're presented with a page to enter your password. So a form with a Username (and no password input) should auto-fill. And a form with a password input (and no username) should auto-fill. In other words: if a page has an input type=password then it must fill with the user's password. If the web-developer didn't want it to auto-fill the password, he wouldn't have made it type=password. But he did. – Advised 7/4, 2022 at 15:15

There's no way, other than type=password, to have a hidden input field. So "not a login form" means ANY form that requires a field to be hidden (e.g. for legal regulatory reasons), but is not a login to the web site. This legal requirement is common in banking & medical applications, but might also be expected when users are inputting a share key, entering key name & key would be plain & hidden inputs that the browser would assume was a login to the site, when its not. By always filling them with the user's login credentials, browsers risk creating a security vulnerability – Decca 8/4, 2022 at 16:17

auto filling the user's login credentials into a form for entering (say) a TSIG key (DNS shared key) is HIGHLY undesirable behaviour. Auto filling the user's login credentials into a form for entering a one-time-code will, more often than not, result in the user failing to complete the process correctly. I'm REALLY surprised you can't imagine having a form that requires a hidden input, that is not a login form, as I come across it quite a lot in writing admin UIs – Decca 8/4, 2022 at 16:22

there's no way around this <- I've found two ways round it, but I'd rather not have to hack the browser to stop it assuming EVERY SINGLE form that has at least one plain & one hidden field is a form for logging into that site. Personally, I'd prefer browsers were just a lot smarter about handling basic authentication then most of these login forms would become unnecessary, but we are where we are - site have been forced into doing their own login mechanisms & so we have this random mess instead of everybody using the built-in authentication mechanism – Decca 8/4, 2022 at 16:28

Yeye, all nice and good until autocomplete decides that search bar is the perfect place to plant your username, or password or why not both. – Seeto 25/12, 2023 at 21:41

In that case i would tell the web-developer to not name the search box id="search", and to to change it from input type="password" to input type="text". – Advised 26/12, 2023 at 16:55

Same as @Weary et. al - I have a webform that stores API credentials. This not a login form. If the user loads this record and saves a change to an unrelated field and doesn't notice that the browser has OVERWRITTEN the said API credentials with the site user's username/password then they are permanently lost. Data corrupted. This is a valid use of HTML forms - not a special snowflake. Happy for you to keep your rights as a user to save what you want, but when your data is being corrupted because the browser made a bad guess at a login form then you have really lost out – Noblenobleman 20/8 at 13:5

I have to tell my users that they need to edit this particular form using Incognito mode so that the browser doesn't trash the fields. – Noblenobleman 20/8 at 13:8

@Noblenobleman Is the input type set to "password"? – Advised 20/8 at 14:46

The API password field is, yes. The API username field - no - but both fields are populated with the login credentials for the site - nothing to do with the record I am editing. Are you suggesting the all Type="password" fields should be hijackable by the browser? – Noblenobleman 30/8 at 5:40

@Noblenobleman I'm not suggesting any fields should be hijackable by the browser. I'm suggesting the browser should auto-complete passwords boxes. – Advised 30/8 at 16:47

Perhaps - but they are doing it in way a destructive way. I have an API username and API password field on my page, the browser overwrites them with the site's login credentials on pageload. This implementation of auto-complete is destroying data. There has to be a nicer way to handle this - maybe offering to not hijack these fields, or to undo overwriting them or maybe just don't insert saved values into fields already populated (this is my personal preference). This would not destroy data, and if need be, the user can explicitly choose Auto-Fill option to populate them if they want to. – Noblenobleman 2/9 at 2:40

Have you tried changing it from <input type="password"> to <input type="text">? – Advised 3/9 at 13:8

Adding autocomplete="something" attributes does not help me. My form has text type input and Chrome constantly filled it with login data. Adding hidden text type input did not help too. But solution was adding pair hidden input fields with text and password types before visible inputs

 <input type="text" style="width:0;height:0;visibility:hidden;position:absolute;left:0;top:0" />
 <input type="password" style="width:0;height:0;visibility:hidden;position:absolute;left:0;top:0" />

Tested with Chrome Version 74

Laccolith answered 15/5, 2019 at 11:31 Comment(0)

I found the solution. !!!!

PROBLEM

my problem was that the username and password saved in the browser was automatically filling my register form

REASON

The problem here is that the password input type is password. it automatically fills in as username without knowing what the parent entry is.

SOLUTION

Adding autocomplete="new-password" to the password entry solved my problem. It also works in Firefox and chrome. I haven't tested the others.

<input
    id="txtSetPassword"
    [formControlName]="formControlName"
    [type]="show ? 'text' : 'password'"
    class="input"
    autocomplete="new-password"
    [placeholder]="'loginPasswordForm.password.placeholder' | cxTranslate"
  />

Foreignborn answered 19/4, 2022 at 22:32 Comment(0)

I ended up doing something like this:

 <input type="password"
       id="password-field"
       onClick="yourFunction()"
       class="form-control"/>


 function yourFunction() {
   var temporalValue = $('#password-field').val();
   $('#password-field').val("");
   $('#password-field').attr('type', 'text');

   myAjaxRequestPromise(temporalValue).then(function(version) {
      //more logic
   }, function(errorResponse) {

     // Just a hack to fool browsers and do not store my password
     $('#password-field').val(temporalValue);
     $('#password-field').attr('type', 'password');

     // more logic
   });
 }

And always make sure the $('#password-field').val("") initializes the field without values, it could be whenever you show your modal or on the load page callback

It seems to be working fine for Safari/Chrome/Firefox

It basically switches between input types before doing the Ajax request to the server and in case there is an error we set back again the old value to the input.

Herriott answered 21/5, 2019 at 4:33 Comment(0)

<input name="password" type="password" autocomplete="new-password" />

autocomplete="new-password" - This attribute's value works for me.

reference

Ardor answered 16/5 at 5:19 Comment(0)

-3

In HTML 5 you can do it in one of two ways...

<form action="demo_form.asp" autocomplete="off">

Or an individual control

<input type="email" name="email" autocomplete="off">

For more info - http://www.w3schools.com/html/html5_form_attributes.asp

Vimen answered 29/8, 2014 at 13:46 Comment(1)

I don't understand the upvotes as the OP clearly states he already tried this without any success and a few research on more reliable sources than w3schools shows that those attributes indeed have no effect on chrome. – Quevedo 5/9, 2014 at 11:58

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

What if I'm a special snowflake?

AutoFillEnabled

Put it another way

Recommended topics

Hot tags