Reputation: 173
How to stop a browser storing password values
I am going through an old site adding autocomplete="off" onto passwords fields, ensuring they are hashed and so on to try and increase security.
However how can I stop passwords being stored if chosen by the user in the browser. As if someone left their computer unlocked they could easily get into an admin login due to the username and password being pre-filled even with autocomplete="off" on the input boxes.
I thought I could use JavaScript to check for the existence of a value in the password field (e.g when the browser fills it) and then remove it. But to check for a value you need to change the type of the input box to "text" and once you change it back to "password" the browser fills the boxes up again with values.
Is there anyway to stop this as I would have thought that this could be a security hole for those people who use the same passwords etc as you could just change the DOM element to text, view the value in plain text, then try on other sites the same value.
The code I was trying to use was this where
getEl = an old cross browser function for document.getElement DOM = my own DOM on load function
function clearPSW()
{
var p=getEl('strPassword');
p.setAttribute("type","text");
console.log("value is " + p.value);
// if I exit here without changing back BOTH username and password fields
// remain blank - although the PSW field is now a text field.
//return;
if(p.value!="")
{
console.log("clear");
p = "";
}
// as soon as I do this the browser re-fills the input boxes!
p.setAttribute("type","password");
}
DOM(function(){
console.log("run DOM");
setTimeout(1000,clearPSW());
});
Is there any method at all or is down to the user to be clever and not store passwords in browsers etc? Obviously I am trying to handle these insecure people and force them to re-enter their password each time.
Thanks!
Upvotes: 1
Views: 353
Answers (3)
Reputation: 117
My solution is:
- Change type of that input inside HTML from
type="password"totype="text" Write script that changes type of that input from
type="text"totype="password"suppose that input has
id="pwd". Then:document.getElementById('pwd').setAttribute('type', 'password')Make a delay for calling this function (because if you would not, most browsers would still insert their cached password. My browser stops doing that when delay is > 1400):
setTimeout(
() => document.getElementById('pwd').setAttribute('type' 'password')
, 1500)
Upvotes: 0
Reputation: 48277
Include a hidden password field before your "real" password field:
<input type="password" style="display:none"/>
<input type="text" name="username"/>
<input type="password" name="password"/>
This works!
Upvotes: 0
Reputation: 33578
Browsers such as Chrome now ignore autocomplete=off.
It is really up to the user whether they store passwords. If they do they should really lock the desktop when not at the computer and not share their OS account with others.
You could argue that turning autocomplete off means that the user will either pick a really simple to guess password or they will write it on a post-it note and stick it to the keyboard.
Upvotes: 0
Related Questions
- Prevent Chrome from prompting to save password from input box?
- How to prevent a browser from storing passwords
- Prevent Browsers not to remember password
- Input type=password, don't let browser remember the password
- How to prevent save credentials from login page in web browser
- Prevent user to find password through Firebug/Chrome Dev Tools
- How to disable browser save password functionality?
- How to disable saved password features of browsers on add users form
- How do tell a browser not to offer to save an incorrect password?
- Hide the a saved password from the source