0
  • I have added autocomplete="off" and also i tried autocomplete="new-password" to the password texfield 
<input type="password" name="login[password]" id="login_password" placeholder="Password" data-validate="not-empty" data-validate-error-message-position="below">
  • Already saved Password autocomplete is coming in chrome and firefox which should not come and if i use autocomplete="off" or autocomplete="new-password" in input field. I need solution to fix this Vulnerability. Your help will be appreciated.
SivaShanker
  • 87
  • 1
  • 9
  • 1
    Is it really vulnerability? If you choose to not store passwords, you won't get this problem. So it is user choice, not vulnerability – Morpheus Aug 30 '19 at 10:35
  • Possible duplicate of https://stackoverflow.com/questions/17719174/autocomplete-off-is-not-working-when-the-input-type-is-password-and-make-the. – Cody MacPixelface Aug 30 '19 at 10:35
  • Yes its a vulnerability. I think we can store your passwords but autocomplete should not come for password fields – SivaShanker Aug 30 '19 at 10:38
  • @Trollsyn : Its a duplicate but there is no solution there – SivaShanker Aug 30 '19 at 10:44
  • @SivaShanker so what is the point of storing passwords in browser then if it doesn't make it easy to fill the form? :) – Morpheus Aug 30 '19 at 10:47

2 Answers2

0

Most of the major browsers now ignore autocomplete=off.

For more info check this

You can add hidden input has type password 

  <input type="text" style="display:none">
  <input type="password" style="display:none">
Yasser Mas
  • 1,652
  • 1
  • 10
  • 14
  • thanks for your comment, will this resolve the Vulnerability, pls suggest? – SivaShanker Aug 30 '19 at 10:41
  • It will not prevent browser from auto complete password fields, you can't prevent this, but in this case the browser will auto complete the hidden password fields, and make sure that two hidden fields come before your input fields. – Yasser Mas Aug 30 '19 at 10:48
  • another solution, you can prevent browser from saving password and auto complete it by change password input type and name to not be equal password. – Yasser Mas Aug 30 '19 at 10:54
  • please verify against FireFox, Chrome and IOS i hope one of the browser your solution wont work – Kannan G Aug 30 '19 at 11:00
0

We recently faced this issue, to overcome this we did some trick will explain below,

Problem,

We faced issue with save password modal is appearing when doing login (post successful), note we are not using inside

Solution

  1. We keep this <input type="password" autoComplete="off" autoCorrect="off" /> as its
  2. Using CSS we will apply password type (dot) behaviour

mask the text and will show the password type dot

    font-family: "text-security-disc";   
    text-security: disc;  
    -webkit-text-security: disc !important;  
    -mox-text-security: disc;
  1. Before submit(first step of submit before making ajax call) we will change the type of the input to "text" so that browser will not understand and wont prompt the user. also as you mapped password using CSS you cant able to see in the UI even if you change the type.
Kannan G
  • 974
  • 6
  • 9