Hofi
Hofi

Reputation: 966

How to disable autocomplete for a HTML password field in IE11?

IE11 dropped support for autocomplete=off for input type=password at both the form and element level.

Has anybody found a working solution to disable autocomplete under IE11?

Upvotes: 7

Views: 17558

Answers (5)

Arsen Khachatryan
Arsen Khachatryan

Reputation: 103

You need to have different pages for username and password. This approach is used by google too.

Google Sign In Screen

Upvotes: 0

DeadlyChambers
DeadlyChambers

Reputation: 5265

This is a work-around, not best practice.

IE 11 will autocomplete any input type="password". BUT it will only populate the first one. So what I have done is this

<div style="display:none;">
    <input type="text" id="my_username"/>
    <input type="password" id="my_password"/>
</div>              
<asp:Login ID="Login1" runat="server"
    SkinId="LoginDefault" LabelStyle-Font-Bold="true"
    DisplayRememberMe="False"
    DestinationPageUrl="~/CheckPassword.aspx">

    <LoginButtonStyle CssClass="btnEntry" />
    <LabelStyle Font-Bold="True" />
</asp:Login>  

Now if you notice the first one has a style of display:none. Which allows IE 11 to autocomplete it, but the user doesn't care, because they don't see that. I know this is kind of a hack, but it works.

Upvotes: 1

Nerdmaster
Nerdmaster

Reputation: 4555

You're much better off solving the problem of security with two-factor authentication. Hacking around the browser will (a) only work in the short-term (password managers are getting better at handling these kinds of approaches), and (b) often lead to accessibility issues, which can cost you a lot more users than your fear of legitimate password leakage. If you work in a large organization, users of assistive technology who have a tough enough time with your browser hacks can end up filing a lawsuit. (I am not speaking to this hack in particular, but generally speaking working against the browser hurts assistive technologies)

Two-factor authentication, even a sloppy implementation that just asks for something like middle name, then sets a cookie ("this browser is now allowed access without 2FA for a month"), makes it immensely more difficult for a random hacker to gain unauthorized access to an account, and keeps things better off for the users, especially those using screen readers or other assistive technology.

Disabling password managers, on the other hand, tends to lead to easy-to-type passwords rather than strong passwords. Using LastPass or similar, I can have a 24-character password (and LastPass can probably fill in fields you're trying to protect with hacks, fyi) that I would never hope to remember, and a different password for each site. When I have passwords I have to remember, they tend to be two words strung together with a symbol, such as "Dogs+Knife".

Upvotes: 7

JW Lim
JW Lim

Reputation: 1814

I'm a bit late to this, but the cleanest approach (at the time of writing) seems to be making users submit their username and password in different pages, i.e. the user enters their username, submit, then enters their password and submit. The Bank Of America and HSBC Bank websites are using this, too.

Because the browser is unable to associate the password with a username, it will not offer to store passwords. This approach works in all major browsers (at the time of writing) and will function properly without the use of Javascript. The downsides are that it would be more troublesome for the user, and would take 2 postbacks for a login action instead of one, so it really depends on how secure your website needs to be.

PS: Firefox will be following IE11's lead and ignore autocomplete="off" for password fields, as per this 'bug report' which is marked VERIFIED FIXED.

Upvotes: 1

Arsen Khachatryan
Arsen Khachatryan

Reputation: 103

You can insert hidden input after user name input.

Upvotes: 0

Related Questions