HTML - Disable Password Manager

Modern browsers respects autocomplete="new-password" on input password fields. But it is not supported in IE.

For browser support refer: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete


Just wanted to add that including:

data-lpignore="true"

on your input element will disable Last Pass on that field. Not sure if other password managers have something similar.


This works in the current Firefox (51), Chrome (55), Edge (38) and IE (11):

Use three different hidden password inputs with three different values. This seems to prevent the browser from activating the password manager because it cannot guess which of the three values is the new password to use.

<form name="testform" action="index" method="post"
      autocomplete="off">

    <input name="disable-pwd-mgr-1" type="password" id="disable-pwd-mgr-1" style="display: none;" value="disable-pwd-mgr-1" />
    <input name="disable-pwd-mgr-2" type="password" id="disable-pwd-mgr-2" style="display: none;" value="disable-pwd-mgr-2" />
    <input name="disable-pwd-mgr-3" type="password" id="disable-pwd-mgr-3" style="display: none;" value="disable-pwd-mgr-3" />

    <label for="protected-input">Protected Input</label>
    <input autocomplete="aus" type="password" size="16" maxlength="16" id="protected-input" name="protected-input" accept="numbers" />

    <button name="next" id="next" type="submit" value="Next">
        NEXT
    </button>
</form>

Over the last years, Browser manufacturers have started to ignore the "autocomplete=off" option for password forms. For example, see the change issue for Firefox.

The reasoning is simple: A lot of websites want to disable auto-complete for login forms based on a false understanding of security. Allowing users to store passwords in secure password managers (as provided today by current browsers) is not a security risk. In fact, it helps security by allowing users to use secure and individual passwords for different websites.

So, don't try to disable browser password managers because you think this would increase security for your users. It doesn't.

There might be scenarios where you don't want a password manager to pop up for example because the password entered is a one-time-password or tan that is of no use a second time. But in the case of a one-time-password / tan, why use a password input at all? Just use a normal input.

Discussion on the issue on Security Stackexchange

Tags:

Html

Recent Posts