Skip to:
Content

Opened 4 years ago

Closed 4 years ago

#2772 closed enhancement (fixed)

Add autocomplete="off" to login widget and form password fields

Reported by: netweb Owned by: netweb
Milestone: 2.6 Priority: normal
Severity: normal Version: 2.0
Component: API - Registration Keywords: good-first-bug has-patch
Cc:

Description

Browsers (IE, Chrome, Firefox) no longer respect autocomplete="off" on <input type="password" /> fields.

Via #BuddyPress6269 and #WP24364

This is the best summary from @hnla rounds it up well: https://buddypress.trac.wordpress.org/ticket/6269#comment:3

https://bugzilla.mozilla.org/show_bug.cgi?id=956906

The summary from a very long thread from a Mozi discussion on the subject:

Summary of the change, so people don't have to wade through a long discussion:

  • This change makes it so that autocomplete=off does not stop the Password Manager >from working. Normal form autofill can be disabled as usual.
  • The password manager *always* prompts if it wants to save a password. Passwords are >not saved without permission from the user.
  • We are the third browser to implement this change, after IE and Chrome.
  • This can be undone locally by flipping the signon.storeWhenAutocompleteOff pref >(from about:config) off.
  • The rationale behind this change was the widespread abuse of the autocomplete >attribute to prevent password saving where no prevention is required. This change gives >users full control over password saving, without compromising on security (again, the user >is always prompted).


Seems overall that autocomplete=off should be implemented, the main concern in doing so being that preventing browsers auto saving to password managers would be a very bad thing possibly resulting in people using weak passwords where they might have been using very strong ones in the knowledge that a browser action by user would have the password inserted to field.

It seems that Mozi here acknowledge that they are the last to implement a fix for autocomplete disabling their password saving thus all major browsers are safe in this respect and my 20 char passwords will be automagically inserted regardless of autocomplete set.

Attachments (1)

2772.diff (2.1 KB) - added by pareshradadiya 4 years ago.
Added 'autocomplete="off"' to password field

Download all attachments as: .zip

Change History (3)

@pareshradadiya
4 years ago

Added 'autocomplete="off"' to password field

#1 @pareshradadiya
4 years ago

  • Keywords has-patch added; needs-patch removed

#2 @netweb
4 years ago

  • Owner set to netweb
  • Resolution set to fixed
  • Status changed from new to closed

In 5793:

Add autocomplete="off" to password field on login widget, user login form, and converter form.

Props pareshradadiya. Fixes #2772

Note: See TracTickets for help on using tickets.