How does Chrome know that a input with a random name is the password field?

[ioan 45]

<div class="form-group row margin-bottom">
     <label for="ePassword" class="col-sm-2 col-form-label">Password*</label>
      <div class="col-sm-6">
           <input type="hidden" name="EPASSWORD" id="EPASSWORD"/>
           <input autocomplete="off" CLASS="form-control" spellcheck="false" TYPE="password" name="1DC647A67DB84EE7ABA987E7662DBCF2" onchange="document.getElementById('EPASSWORD').value = this.value" />
     </div>
</div>

The name of the input text is random generated in code. How does Chrome still guesses this is the password field?

Any way to trick Chrome to not know what field is the password field?

 

 

Edited May 13, 2022 by ioan

[ioan 45]

Well, never mind. This seems to work and I don't even have to create a random ass field name:

autocomplete="new-password"

While searching for a solution I saw the above multiple times... but I was sure I already tried it but I guess I didn't!

[Remy Lebeau 1396]

15 hours ago, ioan said:

The name of the input text is random generated in code. How does Chrome still guesses this is the password field?

Um, because it states that it is a password field?

<input ... TYPE="password" ... />

[ioan 45]

1 hour ago, Remy Lebeau said:

Um, because it states that it is a password field?

<input ... TYPE="password" ... />

I understand that, but what if I want to have some other field with the characters masked, would Chrome automatically assume that any masked field is a password field and fill in my password? I think the decision of Chrome developers to ignore "autocomplete="off" is kind of dumb. I hope they'll respect autocomplete="new-password" and not ignore it in a future version.

Edited May 13, 2022 by ioan

[Remy Lebeau 1396]

On 5/13/2022 at 10:21 AM, ioan said:

I understand that, but what if I want to have some other field with the characters masked

A password field is the only type of <input> element that has masked characters.  Unless you are manually masking the characters of a non-password text input field via script? No browser would treat that as a password field.

Quote

would Chrome automatically assume that any masked field is a password field and fill in my password?

No.  Only an <input> field that is explicitly marked as being a password field is treated as a password field.

Quote

I think the decision of Chrome developers to ignore "autocomplete="off" is kind of dumb.

This doesn't just affect Chrome.  Per Mozilla's documentation:

Quote

Note: In most modern browsers, setting autocomplete to "off" will not prevent a password manager from asking the user if they would like to save username and password information, or from automatically filling in those values in a site's login form. See the autocomplete attribute and login fields.

And, per autocomplete attribute and login fields:

Quote

many modern browsers do not support autocomplete="off" for login fields

...

If a site sets autocomplete="off" for username and password <input> fields, then the browser still offers to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.

 

This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11)

Quote

I hope they'll respect autocomplete="new-password" and not ignore it in a future version.

Per Preventing autofilling with autocomplete="new-password":

Quote

If you are defining a user management page where a user can specify a new password for another person, and therefore you want to prevent autofilling of password fields, you can use autocomplete="new-password".

 

This is a hint, which browsers are not required to comply with. However modern browsers have stopped autofilling <input> elements with autocomplete="new-password" for this very reason.

 

Edited May 15, 2022 by Remy Lebeau