I need to allow users to change their password and as such I have 2 fields on a form: enter your new password re-enter your new password (values for field 1 and 2 must match) To keep the operation private for the user, the obvious choice to use is input type="password" field - which is what I am trying to do. However, browser password managers keep offering to auto-fill the fields, an activity which simply makes no sense in this context. In fact, in my opinion, the practice is actively insecure, because it increases the likelihood that people will choose passwords "similar" to what they currently have, by accepting what is offered by the password manager and making minor adjustments. (just a quick note that there's no need to mention that safeguards to ensure difference can be put in place as I'm aware of this - thanks) I have already done a lot of research to try to disable the password managers, including: autocomplete="off/new-password/rubbish value" (for both form and type="password" fields, separately and at the same time) using javascript to change the field from type="text" to type="password" on focus inserting hidden password fields prior to the password field on the form removing name and id from the field But, while some approaches work partially, nothing works consistently. The only thing that I can find to do that seems to have shot at succeeding is using a type="text" and displaying circles by using a dummy "password" font . However, this approach feels like I am fighting the browsers, and I just cannot credit that there is no easy way to enter "hidden" text without having the password manager involved. Additional notes: I have already tried everything on How to prevent a browser from storing password and none of the solutions offered work reliably. Mozilla has a whole explanation of how to do it here ...which doesn't work. Hence this question. Is there possibly any password guru out there who knows how to disable the password managers when entering hidden text? Thanks!

Reputation: 2193

html password field - disable the password manager

I need to allow users to change their password and as such I have 2 fields on a form:

enter your new password
re-enter your new password (values for field 1 and 2 must match)

To keep the operation private for the user, the obvious choice to use is input type="password" field - which is what I am trying to do.

However, browser password managers keep offering to auto-fill the fields, an activity which simply makes no sense in this context.

In fact, in my opinion, the practice is actively insecure, because it increases the likelihood that people will choose passwords "similar" to what they currently have, by accepting what is offered by the password manager and making minor adjustments. (just a quick note that there's no need to mention that safeguards to ensure difference can be put in place as I'm aware of this - thanks)

I have already done a lot of research to try to disable the password managers, including:

autocomplete="off/new-password/rubbish value" (for both form and type="password" fields, separately and at the same time)
using javascript to change the field from type="text" to type="password" on focus
inserting hidden password fields prior to the password field on the form
removing name and id from the field

But, while some approaches work partially, nothing works consistently.

The only thing that I can find to do that seems to have shot at succeeding is using a type="text" and displaying circles by using a dummy "password" font.

However, this approach feels like I am fighting the browsers, and I just cannot credit that there is no easy way to enter "hidden" text without having the password manager involved.

Additional notes:

I have already tried everything on How to prevent a browser from storing password and none of the solutions offered work reliably.
Mozilla has a whole explanation of how to do it here ...which doesn't work.

Hence this question. Is there possibly any password guru out there who knows how to disable the password managers when entering hidden text? Thanks!

Upvotes: 6

html password field - disable the password manager

Answers (2)

Related Questions