autocomplete="off" in input type "password" is required? Because?

3

One of the systems I work with was analyzed by a security team and among some security practices they recommended, was the inclusion of autocomplete="off" in elements input of type password .

I would like to know if this would be unnecessary, since browsers already "know" that it is a password insertion field and probably (I think) they will not enable autocomplete .

Example:

<input type="password" name="password" autocomplete="off">

    
asked by anonymous 22.11.2016 / 14:04

1 answer

1

Some browsers implement password management; when it enters a password in the form the browser gives the option to save it, when the site is visited again, the field is auto-filled. What's more, the browser allows the user to choose a "master password" that will be used to encrypt the stored data.

So some browsers do not support autocomplete="off" .

  • If you set autocomplete in a password field for example, the browser will allow the user to save the password for the next time the user visits the page. That's why some browsers do not work.
  • This occurs in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11).
  • In some cases, the browser will autocomplete to complete automatically, even if the attribute is set to off .

    The correct thing your security team should recommend would be autocomplete="nope" . Since this random value is not a valid value , then the browser will give up filling it.

    This is a unique customer issue, if the client selects to save the password, the browser will give priority to it.

    This is really debatable. I'll be doing a broader reading and I'll be editing that answer.

    Bookstore:

    Security - Mozilla

        
    22.11.2016 / 14:20