ioan 45 Posted May 13, 2022 (edited) <div class="form-group row margin-bottom"> <label for="ePassword" class="col-sm-2 col-form-label">Password*</label> <div class="col-sm-6"> <input type="hidden" name="EPASSWORD" id="EPASSWORD"/> <input autocomplete="off" CLASS="form-control" spellcheck="false" TYPE="password" name="1DC647A67DB84EE7ABA987E7662DBCF2" onchange="document.getElementById('EPASSWORD').value = this.value" /> </div> </div> The name of the input text is random generated in code. How does Chrome still guesses this is the password field? Any way to trick Chrome to not know what field is the password field? Edited May 13, 2022 by ioan Share this post Link to post
ioan 45 Posted May 13, 2022 Well, never mind. This seems to work and I don't even have to create a random ass field name: autocomplete="new-password" While searching for a solution I saw the above multiple times... but I was sure I already tried it but I guess I didn't! Share this post Link to post
Remy Lebeau 1436 Posted May 13, 2022 15 hours ago, ioan said: The name of the input text is random generated in code. How does Chrome still guesses this is the password field? Um, because it states that it is a password field? <input ... TYPE="password" ... /> Share this post Link to post
ioan 45 Posted May 13, 2022 (edited) 1 hour ago, Remy Lebeau said: Um, because it states that it is a password field? <input ... TYPE="password" ... /> I understand that, but what if I want to have some other field with the characters masked, would Chrome automatically assume that any masked field is a password field and fill in my password? I think the decision of Chrome developers to ignore "autocomplete="off" is kind of dumb. I hope they'll respect autocomplete="new-password" and not ignore it in a future version. Edited May 13, 2022 by ioan Share this post Link to post
Remy Lebeau 1436 Posted May 15, 2022 (edited) On 5/13/2022 at 10:21 AM, ioan said: I understand that, but what if I want to have some other field with the characters masked A password field is the only type of <input> element that has masked characters. Unless you are manually masking the characters of a non-password text input field via script? No browser would treat that as a password field. Quote would Chrome automatically assume that any masked field is a password field and fill in my password? No. Only an <input> field that is explicitly marked as being a password field is treated as a password field. Quote I think the decision of Chrome developers to ignore "autocomplete="off" is kind of dumb. This doesn't just affect Chrome. Per Mozilla's documentation: Quote Note: In most modern browsers, setting autocomplete to "off" will not prevent a password manager from asking the user if they would like to save username and password information, or from automatically filling in those values in a site's login form. See the autocomplete attribute and login fields. And, per autocomplete attribute and login fields: Quote many modern browsers do not support autocomplete="off" for login fields ... If a site sets autocomplete="off" for username and password <input> fields, then the browser still offers to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page. This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11) Quote I hope they'll respect autocomplete="new-password" and not ignore it in a future version. Per Preventing autofilling with autocomplete="new-password": Quote If you are defining a user management page where a user can specify a new password for another person, and therefore you want to prevent autofilling of password fields, you can use autocomplete="new-password". This is a hint, which browsers are not required to comply with. However modern browsers have stopped autofilling <input> elements with autocomplete="new-password" for this very reason. Edited May 15, 2022 by Remy Lebeau 1 Share this post Link to post