Disable browser 'Save Password' functionality?

I'm not sure if it'll work in all browsers but you should try setting autocomplete="off" on the form.

I'm not sure if it'll work in all browsers but you should try setting autocomplete="off" on the form. The easiest and simplest way to disable Form and Password storage prompts and prevent form data from being cached in session history is to use the autocomplete form element attribute with value "off". From developer.mozilla.org/En/How_to_Turn_Off... Some minor research shows that this works in IE to but I'll leave no guarantees ;) @Joseph: If it's a strict requirement to pass XHTML validation with the actual markup (don't know why it would be though) you could theoretically add this attribute with javascript afterwards but then users with js disabled (probably a neglectable amount of your userbase or zero if your site requires js) will still have their passwords saved.

Example with jQuery: $('#loginForm'). Attr('autocomplete', 'off').

9 Just a quick comment, since this is changing, HTML5 adds the autocomplete attribute to the spec, so it is valid now. – Tyler Egeto Jan 10 '11 at 1:32 firefox (3.6.15) doesn't seem to be regarding the autocomplete="off" at all. I tried adding that to both the form and the password field, but it still fills the pwd when I press tab on the username field.

I alos tried changing the name attribute of the pwd field to something else, but looks like it uses the type="password" attribute (though I read it matches the 'name' attribute). That too doesn't work. Any thing else I can try?

– hese Mar 9 '11 at 21:56.

You can prevent the browser from matching the forms up by randomizing the name used for the password field on each show. Then the browser sees a password for the same the url, but can't be sure it's the same password. Maybe it's controlling something else.

Update: note that this should be in addition to using autocomplete or other tactics, not a replacement for them, for the reasons indicated by others.

Use real two-factor authentication to avoid the sole dependency on passwords which might be stored in many more places than the user's browser cache.

Btw it's authentication not authentification – Jonathan. Dec 26 '11 at 22:43 thanks, Jonathan – David Schmitt Dec 27 '11 at 14:08.

Markus raised a great point. I decided to look up the autocomplete attribute and got the following: The only downside to using this attribute is that it is not standard (it works in IE and Mozilla browsers), and would cause XHTML validation to fail. I think this is a case where it's reasonable to break validation however.(source) So I would have to say that although it doesn't work 100% across the board it is handled in the major browsers so its a great solution.

I'm having this problem of validating as per the w3c standards. The thing is I want this functionality for a Mobile banking website. I've an assumption that mobile browsers are strict enough and may sometimes mess up the form if some invalid attribute is being used.

What do you recommend in this case? – asgs Mar 8 '10 at 6:56 I think that is an old style of thinking. Many recent mobile browsers are built off of WebKit and either support or gracefully ignore this attribute.

I am not aware of how other countries, or browsers in older cell phones handle this but gracefully handling attributes / elements that are not known is fundamental to the a good browser. It "future proofs" the browser to not break as the web evolves. It may fall behind (not implementing new features) but it won't break.

Hope that helps =) – Joseph Pecoraro Apr 10 '10 at 23:58 It should be rather a comment to the referred answer than an answer to the question itself. – Török Gábor Dec 16 '10 at 13:05.

I had been struggling with this problem a while, with a unique twist to the problem. Privileged users couldn't have the saved passwords work for them, but normal users needed it. This meant privileged users had to log in twice, the second time enforcing no saved passwords.

With this requirement, the standard autocomplete="off" method doesn't work across all browsers, because the password may have been saved from the first login. A colleague found a solution to replace the password field when it was focused with a new password field, and then focus on the new password field (then hook up the same event handler). This worked, except it caused an infinite loop in IE6. Maybe there was a way around that, but it was causing me a migraine.

Finally, I tried to just have the username and password outside of the form. To my surprise, this worked! It worked on IE6, and current versions of Firefox and Chrome on Linux.

I haven't tested it further, but I suspect it works in most if not all browsers (but it wouldn't surprise me if there was a browser out there that didn't care if there was no form). Here is some sample code, along with some jQuery to get it to work.

Not really - the only thing you could realistically do is offer advice on the site; maybe, before their first time signing in, you could show them a form with information indicating that it is not recommended that they allow the browser to store the password. Then the user will immediately follow the advice, write down the password on a post-it note and tape it to their monitor.

What I have been doing is a combination of autocomplete="off" and clearing password fields using a javascript / jQuery. JQuery Example: $(function() { $('#PasswordEdit'). Attr("autocomplete", "off"); setTimeout('$("#PasswordEdit").

Val("");', 50); }); By using setTimer() you can wait for the browser to complete the field before you clear it, otherwise the browser will always autocomplete after you've clear the field.

1 @Howard: you can format your code by selecting it in the editor and pressing Control-K. – John Saunders Mar 31 '10 at 19:16.

Just so people realise - the 'autocomplete' attribute works most of the time, but power users can get around it using a bookmarklet. Having a browser save your passwords actually increases protection against keylogging, so possibly the safest option is to save passwords in the browser but protect them with a master password (at least in Firefox).

I can see how you may want to prevent users from inadvertently saving passwords on public computers to sensitive websites. However, I believe the side-effects are even worse, and that there should be a Firefox option to override the override. And after some searching here it is.

You can either override it permanently or use a bookmarklet to allow it per site. mydigitallife.info/2008/08/16/fix-firefo....

Autocomplete="off" works for most modern browsers, but another method I used that worked successfully with Epiphany (a WebKit-powered browser for GNOME) is to store a randomly generated prefix in session state (or a hidden field, I happened to have a suitable variable in session state already), and use this to alter the name of the fields. Epiphany still wants to save the password, but when going back to the form it won't populate the fields.

The website tells the browser that it is a password by using . So if you must do this from a website perspective then you would have to change that.(Obviously I don't recommend this). The best solution would be to have the user configure their browser so it won't remember passwords.

An elaboration of security issues would be helpful. – Karl Nov 30 '08 at 20:35 @karl: because having to type the password in the open allows "shoulder surfing", the process of gleaning a password by looking at the screen whil it is being typed. – David Schmitt Jan 22 '10 at 10:14 Not just human shoulder surfing, but spyware or viruses can watch your screen and see what has been typed in plaintext fields.

– Karl Jan 22 '10 at 11:48 3 @karl: If you've got spyware/virus on your computer then no amount of asterisk protection is going to save you. It's no more difficult for an installed app to intercept what's being typed into a 'password' field than it is to do the same for a plain-text field. – Markus Olsson Jan 22 '10 at 11:59 1 Also, if the browser sees a regular text input instead of a password input, it's likely to stash the password in the form autocomplete database instead of the password database ... and then suggest it or even autofill it on some unrelated website!

So you're actually even worse off than when you started. – Zack Jan 22 '10 at 0:16.

One way I know is to use (for instance) JavaScript to copy the value out of the password field before submitting the form. The main problem with this is that the solution is tied to JavaScript. Then again, if it can be tied to JavaScript you might as well hash the password on the client-side before sending a request to the server.

The website tells the browser that it is a password by using type="password". So, we just need to make unwanted fields invisible like this: ... signup_nick ... If we want to prevent browser ‘Save Password’ functionality - just use JS & AJAX like google :).

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.