Should web sites disable form autocomplete on all forms?
That kind of depends whether you're aiming for security, or to please an auditor.
If you enable autocomplete for the username and password, they'll stay recorded in the user's browser. That means the user won't need to remember it or store it in an easily-accessible place, which means you actually have a chance that they'll pick a strong password. (You have a better chance if you can impose the password.)
If you disable autocomplete, and the browser honors this setting, the user will have to type their password again every time. Therefore they will pick one that's easy to remember and type. If you manage to impose a strong password, they'll store it in an easily-accessible place for copy-paste. A password in a random text file that may be accidentally copied around, that may be pasted by mistake in a public place (URL bar, email, …), is a far worse risk than a password stored in the browser's password store.
You may find the argument that if the user is using a shared browser, they're leaving the credentials around for the next person using that browser. This argument is bogus: even if the browser honors autocomplete=off, they're leaving the password to any passing keylogger.
I think mobile browsers tend to ignore autocomplete=off, due to a combination of awkward keyboards, lack of availability of post-it notes while on the move, and an expectation of a smooth UX.
One specific case where you should turn off autocomplete as thoroughly as possible is a credit card CCV. Maybe even the card number while you're at it, but if you do that, store it server-side and don't let it be displayed in full (though this is not a panacea).
Do make sure however to turn off autocorrect for passwords. You don't want a password to be corrected to a word in the mobile device's dictionary, or to be added into the dictionary when the user rescinds the autocorrection.
The reason browsers are ignoring autocomplete=off
is because there have been some web-sites that tried to disable auto-completing of passwords.
That is wrong.
And in July 2014 Firefox was the last major browser to finally implement the change to ignore any web-site that tries to turn off autocompleting of passwords.
- June 2009: IEInternals blog where they discuss keeping the user in control (archive)
- February 2014: Chrome's announcement when they began ignoring
autocomplete=off
(archive) - January 2014: Bugzilla Bug 956906 - ignore autocomplete="off" when offering to save passwords via the password manager (archive)
- Reddit discussion of Firefox change (archive)
Any attempt by any web-site to circumvent the browser's preference is wrong, that is why browsers ignore it. There is no reason known why a web-site should try to disable saving of passwords.
- Chrome ignores it
- Safari ignores it
- IE ignores it
- Firefox ignores it
What if I'm a special snowflake?
There are people who bring up a good use-case:
I have a shared, public area, kiosk style computer. We don't want someone to (accidentally or intentionally) save their password so they next user could use it.
That does not violate the statement:
Any attempt by any web-site to circumvent the browser's preference is wrong
That is because in the case of a shared kiosk:
- it is not the web-server that has the oddball policy
- it is the client user-agent
The browser (the shared computer) is the one that has the requirement that it not try to save passwords. The correct way to prevent the browser from saving passwords, is to configure the browser to not save passwords. Since you have locked down and control this kiosk computer: you control the settings. That includes the option of saving passwords.
In Chrome and Internet Explorer, you configure those options using Group Policies (e.g. registry keys).
From the Chrome Policy List:
AutoFillEnabled
Enable AutoFill
Data type: Boolean (REG_DWORD)
Windows registry location: Software\Policies\Chromium\AutoFillEnabled
Description: Enables Chromium's AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information. If you disable this setting, AutoFill will be inaccessible to users. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.
Please pass the word that trying to disable autocompleting of password is wrong, browsers are intentionally ignoring anyone who tries to do it, and they should stop doing the wrong thing.™
There are two main security issues connected to form autocompletion:
- an attacker with access to the browser will be able to read the saved information (if the storage isn't password protected)
- if the web application is vulnerable to Cross-Site Scripting, malicious code can be used to retrieve autocompleted information and send them to the attacker
Considering these possible "attacks", a web site owner must decide whether the added functionality is worth having or if it brings a risk too big to be taken.
In the end, it all comes down to the kind of web application we are talking about. For example, I wouldn't mind autocompletion for authentication credentials of a news web site, but I certainly wouldn't like my home banking web application to autocompleting my credit card PAN!
While the security best practice is definitely to disable the autocomplete feature, it is a matter that needs to be assessed differently for each situation (and each form field!).