Should websites be allowed to disable autocomplete on forms or fields?

Currently, there is an HTML form / input attribute called autocomplete , which, when set to off , disables autocomplete/autofill for that form or element. Some banks seem to use this to prevent password managers from working. These days sites like Yahoo Mail seem to do it as well because they feel that password managers are unsafe. A few weeks ago I implemented a feature in Firefox that gives the user an option to override this for username/password fields only (i.e. to disable the password manager). There now is a request that is asking for it to override autocomplete=off by default. Quoting the issue:

This behavior is a concession to sites that think password managers are harmful and thus want to prevent them from being effective. In aggregate, I think those sites are generally wrong, and shouldn't have that much control over our behavior.

This makes sense to me, for similar reasons as the ones in this comment by BenB.

keyboard loggers exist and are widespread, probably more widespread than malware that can read Firefox password store.
even simple attacks by the little nephew exist: Just look over the shoulder
possibly most importantly, forcing users to re-enter their password every time practically forces them to use a simple password - easy to remember, easy to type, probably even used on multiple websites. This obviously lowers overall security dramatically and thus poses a danger to security.

There have been many workarounds (usually bookmarklet-based) that have been posted on the Internet. IE11 has already removed support for autocomplete=off .

The question is twofold:

Is there any significant increase in security for a website when it uses autocomplete=off on password fields? Or is it actually harmful to security as per BenB's comment?
Should browsers allow this attribute by default and give this much control to the website? (This bit is subjective, feel free to not answer)

While my situation is specific to autocomplete=off for username/password fields (the code only affects the password manager), I do welcome input on the broader aspect of disabling autocomplete=off

20.9k 6 6 gold badges 72 72 silver badges 118 118 bronze badges asked Jan 25, 2014 at 9:20 Manishearth Manishearth 8,317 5 5 gold badges 37 37 silver badges 56 56 bronze badges

What a terrible, terrible option. BenB is completely off-base. As Lucas mentioned, autocomplete=off has nothing to do with whether password managers are "safe" or not. One case he didn't mention is DOM injection/XSS, which can and has (MySpace is one example, IIRC) been used to take advantage of inadequate input validation to add an illicit hidden login form to arbitrary pages in an application to steal the credentials of users who use form auto-complete for credential storage.

Commented Jan 25, 2014 at 15:48

This question is talking about the password manager, not the form fields autocomplete (despite the wrong title of the question). The password manager only stores after user confirmation, never automatically. It also has a store separate from the form field autocomplete - in fact, it's a completely different implementation in Firefox. Thus, mentioned scenarios of unknowingly storing passwords in Internet Cafes don't exist with password fields.

Commented Jan 26, 2014 at 21:04

@user37982 That is not correct. There is an assumption in the question that the reason might be to prevent password managers from working, and then the question wanders in that direction, but that is a bad assumption to begin with.

Commented Jan 27, 2014 at 20:13

@Xander true, though note that the bugs in question are about only the password case. I'm more interested in the impact on security by disallowing it for password fields, however I don't mind comments on the other uses .

Commented Jan 27, 2014 at 20:17

Just an FYI, from my field, we are seeing that Security related questions/MFA are basically rendered useless now. When a users fills out their security questions and have to use them, the information is now saved. So all a person has to do now is check the autocomplete. I really still do not understand why Chrome and Firefox would wish to override what a website sets a field to.

Commented Jun 16, 2014 at 16:21

5 Answers 5

The problem is that this one setting simultaneously controls the behavior of two similar but sufficiently dissimilar functions in the browser such that an optimal result is difficult to achieve.

First, we have what you might call "smart" or "naïve" or "automatic" auto-complete.

This is the original auto-complete technology. As you fill in forms on various sites, the browser watches the names of the forms and the contents you fill, and silently remembers the details. Then, when visiting another site with a similar-looking form, it "helpfully" fills in fields using the values it filched from your previous behavior on other sites.

The idea here is to save you time without any configuration or decision-making on your part. Filling in your name? We'll automatically fill in the name you used last time. Filling in a credit card? We'll fill in the credit card you used elsewhere.

In its zeal to be helpful, the browser is sharing your secrets from one site with all the others, just in case it's what you wanted. From a security perspective, this is a disaster for all the obvious reasons and for several non-obvious ones as well. It has to be disabled, and probably shouldn't have ever been implemented to begin with.

Second, we have "explicit" or "secure" or "configured" auto-complete

This is the world, primarily, of saved usernames and passwords. In this incarnation, the browser saves your form data only with your explicit approval. Ideally, it stores that data in an encrypted store, and most critically, the data is firmly associated with a single site. So your Facebook password stays with Facebook, and your Amazon address stays with Amazon.

This technique is critically different in that the browser is replaying saved behavior when the matching environment is detected. By comparison, the other technique is anticipating desired behavior automatically by looking for similarities.

When you visit the site and it presents a login form, your browser should helpfully auto-fill the data you had explicitly saved for that purpose. The interaction should be quick and thought-free for the user. And, critically, should absolutely BREAK in a phishing attempt. The browser should be so completely unwilling to deliver credentials to a phishing site such that it makes her stop and think about why the thing isn't working.

This feature is your primary line of defense against phishing. It has to work. You are unavoidably less secure if the user can't depend on this feature working transparently and effortlessly under normal conditions.

And while this is primarily used for credential storage, it's also a secure place to put other secure data as well, such as payment cards, address, security questions, etc. Such additional data probably won't be site-specific, but should probably not auto-fill without prompting.

One option to rule them all

The problem here is that in many implementations, the autocomplete=false option controls both behaviors. Both the one you want to keep, and the one you want to kill.

Ideally, "secure" auto-complete should never be disabled. We're relying on this feature to add safety, so misguided site operators shouldn't be allowed to jeopardize that.

And ideally, "automatic" auto-complete should be disabled by default, to be enabled only for those rare conditions (if any) where you actually want the browser to re-use your input from other sites.