Known Issue: Browser Ignores Disabled Autocomplete Property for Saving User Login Information

Issue

After setting company.security.login.form.autocomplete=false to disable autocomplete for user login information, the browser still permits users to save passwords or use password managers to manage password autocomplete or autofill.

Resolution

This is due to a lack of consensus and/or rejection of the autocomplete=off form property from the major browser development teams.

Internet Explorer (developer blog):

[O]ne of the top user-complaints about our HTML Forms AutoComplete feature is "It doesn't work-- I don't see any of my previously entered text."  When debugging such cases, we usually find that the site has explicitly disabled the feature using the provided attribute, but of course, users have no idea that the site has done so and simply assume that IE is buggy.  In my experience, when features are hidden or replaced, users will usually blame the browser, not the website. 

In this case, the team decided that keeping the user in control was of paramount importance. 

Chrome (developer discussion):

I wanted to give a heads up that now, by default, Chrome ignores autocomplete='off' for password fields. This allows the password manager to give more power to users to manage their credentials on websites. It is the security team's view that this is very important for user security by allowing users to have unique and more complex passwords for websites.

Firefox (bug report that was marked as fixed):

autocomplete="off" does two things:

a) prevents us from automatically filling in already-saved data for forms/fields that have the attribute

b) prevents us from saving new data for forms/fields that have the attribute

This behavior is a concession to sites that think password managers are harmful and thus want to prevent them from being effective. In aggregate, I think those sites are generally wrong, and shouldn't have that much control over our behavior.

I think we should investigate removing support for autocomplete="off" entirely, or at least the portion of it that prevents us from saving passwords.

To summarize, several of these major browser teams felt that sites that disabled autocomplete took away the agency of users to handle and manage passwords for themselves. Because of this, there has been a large push to remove or change this functionality. In future releases, the company.security.login.form.autocomplete property will be slated for removal from Liferay.

Was this article helpful?
0 out of 0 found this helpful