Categories
autocomplete browser forms html

How do you disable browser autocomplete on web form field / input tags?

3117

How do you disable autocomplete in the major browsers for a specific input (or form field)?

3

  • 5

    In some systems where testers have to manually enter a lot of information over and over it might be useful to have the option as configurable so that when testing you can disable it and just hit ‘tab > down arrow > tab > down arrow etc…’

    Nov 22, 2009 at 5:15

  • Try github.com/terrylinooo/disableautofill.js , it uses JavaScript the skip the auto-fill function from browser.

    – Terry Lin

    Feb 25, 2021 at 8:50

  • 3

    This question is being discussed on meta.

    – cigien

    Oct 2, 2021 at 18:03

2826

Firefox 30 ignores autocomplete="off" for passwords, opting to prompt the user instead whether the password should be stored on the client. Note the following commentary from May 5, 2014:

  • The password manager always prompts if it wants to save a password. Passwords are not saved without permission from the user.
  • We are the third browser to implement this change, after IE and Chrome.

According to the Mozilla Developer Network documentation, the Boolean form element attribute autocomplete prevents form data from being cached in older browsers.

<input type="text" name="foo" autocomplete="off" />

7

  • 55

    This did not work for me in Firefox 3.0.3 I had to put the autocomplete attribute in the FORM rather than the INPUT.

    Nov 12, 2008 at 4:11

  • 23

    Autocomplete is only defined in the HTML 5 standards, so it will break any validations you run against HTML 4.*…

    – Jrgns

    Jan 19, 2009 at 8:04

  • 109

    @Winston, you should put it both on the form, AND on the input element itself. That way you cover all the nonstandardness of browsers.

    – AviD

    Dec 13, 2010 at 12:11

  • 90

    And remember to disable your autocomplete = on extension (if you’re using Chrome) before you test your webapp. Else you’ll feel real silly like me. 😉

    – Jo Liss

    Feb 26, 2011 at 0:57

  • 4

    Surprised, why this answer is accepted and having so much votes. Even there is nothing special as said others. As per my findings most specific and proved solution has provided by @Ben Combee in this thread.

    Oct 27, 2021 at 5:46

361

In addition to setting autocomplete=off, you could also have your form field names be randomized by the code that generates the page, perhaps by adding some session-specific string to the end of the names.

When the form is submitted, you can strip that part off before processing them on the server-side. This would prevent the web browser from finding context for your field and also might help prevent XSRF attacks because an attacker wouldn’t be able to guess the field names for a form submission.

7

  • 13

    This is a much better solution compared to using autocomplete=”off”. All you have to do is generate a new name on every page load and save that name to a $_SESSION for future use: $_SESSION['codefield_name'] = md5(uniqid('auth', true));

    – enchance

    Nov 13, 2011 at 9:03


  • 93

    No, this is not a better solution, because the origin of preference for this setting is user agent also known as the web browser. There is a difference between supporting certain behaviour (which HTML 5 attempts to do) and forcing it by deciding on behalf of the user, which you suggest is a “much better solution”.

    – amn

    May 27, 2013 at 17:09


  • 19

    This solution can work with all browsers, so in that respect it is “better”. Still, amn is correct, deciding to disable autocomplete on behalf of your users is not a good idea. This means I would only disable autocomplete in very specific situations, such as when you plan to build your own autocomplete functionality and don’t want conflicts or strange behavior.

    May 15, 2014 at 21:34


  • 10

    Regarding XSRF attacks, I’m not sure what type of attack you were picturing, but couldn’t the attacker just strip off the end part the same way you do server-side to identify the fields? Or if the attacker is posting the fields, couldn’t they append their own random string since it’ll be stripped off by the server?

    – xr280xr

    Feb 11, 2015 at 20:10


  • 13

    @macguru2000 building your own autocomplete is a completely legit and common use-case. Really the browser should make it easier for developers to turn off autocomplete when they need to instead of forcing us to use hacks like this one

    – whoadave

    May 6, 2015 at 2:01

272

Most of the major browsers and password managers (correctly, IMHO) now ignore autocomplete=off.

Why? Many banks and other “high security” websites added autocomplete=off to their login pages “for security purposes” but this actually decreases security since it causes people to change the passwords on these high-security sites to be easy to remember (and thus crack) since autocomplete was broken.

Long ago most password managers started ignoring autocomplete=off, and now the browsers are starting to do the same for username/password inputs only.

Unfortunately, bugs in the autocomplete implementations insert username and/or password info into inappropriate form fields, causing form validation errors, or worse yet, accidentally inserting usernames into fields that were intentionally left blank by the user.

What’s a web developer to do?

  • If you can keep all password fields on a page by themselves, that’s a great start as it seems that the presence of a password field is the main trigger for user/pass autocomplete to kick in. Otherwise, read the tips below.
  • Safari notices that there are 2 password fields and disables autocomplete in this case, assuming it must be a change password form, not a login form. So just be sure to use 2 password fields (new and confirm new) for any forms where you allow
  • Chrome 34, unfortunately, will try to autofill fields with user/pass whenever it sees a password field. This is quite a bad bug that hopefully, they will change the Safari behavior. However, adding this to the top of your form seems to disable the password autofill:

    <input type="text" style="display:none">
    <input type="password" style="display:none">
    

I haven’t yet investigated IE or Firefox thoroughly but will be happy to update the answer if others have info in the comments.

4

  • 8

    what do you mean with “adding this on your page seems to disable autofill for the page:”

    – wutzebaer

    May 7, 2014 at 10:31

  • 8

    @wutzebaer, Chrome notices the hidden password field and halts auto-complete. Reportedly this is to prevent the site stealing password info without the user noticing.

    – David W

    Dec 1, 2014 at 23:05

  • 8

    Your snippet of code prevent autocompletes for login fields on Chrome, Firefox, IE 8 and IE 10. Did not test IE 11. Good stuff! Only simple answer that still works.

    May 19, 2015 at 4:44

  • Hello from 2022. I’ve just tried this solution andd it still works on Firefox 101.0.1 but not on Chrome 102.0.5005.115

    – valepu

    Jun 15 at 21:40