Jump to content
ioan

How does Chrome know that a input with a random name is the password field?

Recommended Posts

Posted (edited)
<div class="form-group row margin-bottom">
     <label for="ePassword" class="col-sm-2 col-form-label">Password*</label>
      <div class="col-sm-6">
           <input type="hidden" name="EPASSWORD" id="EPASSWORD"/>
           <input autocomplete="off" CLASS="form-control" spellcheck="false" TYPE="password" name="1DC647A67DB84EE7ABA987E7662DBCF2" onchange="document.getElementById('EPASSWORD').value = this.value" />
     </div>
</div>

The name of the input text is random generated in code. How does Chrome still guesses this is the password field?

Any way to trick Chrome to not know what field is the password field?

 

 

chromesux.JPG

Edited by ioan

Share this post


Link to post

Well, never mind. This seems to work and I don't even have to create a random ass field name:

autocomplete="new-password"

While searching for a solution I saw the above multiple times... but I was sure I already tried it but I guess I didn't!

Share this post


Link to post
15 hours ago, ioan said:

The name of the input text is random generated in code. How does Chrome still guesses this is the password field?

Um, because it states that it is a password field?

<input ... TYPE="password" ... />

Share this post


Link to post
Posted (edited)
1 hour ago, Remy Lebeau said:

Um, because it states that it is a password field?


<input ... TYPE="password" ... />

I understand that, but what if I want to have some other field with the characters masked, would Chrome automatically assume that any masked field is a password field and fill in my password? I think the decision of Chrome developers to ignore "autocomplete="off" is kind of dumb. I hope they'll respect autocomplete="new-password" and not ignore it in a future version.

Edited by ioan

Share this post


Link to post
Posted (edited)
On 5/13/2022 at 10:21 AM, ioan said:

I understand that, but what if I want to have some other field with the characters masked

A password field is the only type of <input> element that has masked characters.  Unless you are manually masking the characters of a non-password text input field via script? No browser would treat that as a password field.

Quote

would Chrome automatically assume that any masked field is a password field and fill in my password?

No.  Only an <input> field that is explicitly marked as being a password field is treated as a password field.

Quote

I think the decision of Chrome developers to ignore "autocomplete="off" is kind of dumb.

This doesn't just affect Chrome.  Per Mozilla's documentation:

Quote

Note: In most modern browsers, setting autocomplete to "off" will not prevent a password manager from asking the user if they would like to save username and password information, or from automatically filling in those values in a site's login form. See the autocomplete attribute and login fields.

And, per autocomplete attribute and login fields:

Quote

many modern browsers do not support autocomplete="off" for login fields

...

If a site sets autocomplete="off" for username and password <input> fields, then the browser still offers to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.

 

This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11)

Quote

I hope they'll respect autocomplete="new-password" and not ignore it in a future version.

Per Preventing autofilling with autocomplete="new-password":

Quote

If you are defining a user management page where a user can specify a new password for another person, and therefore you want to prevent autofilling of password fields, you can use autocomplete="new-password".

 

This is a hint, which browsers are not required to comply with. However modern browsers have stopped autofilling <input> elements with autocomplete="new-password" for this very reason.

 

Edited by Remy Lebeau
  • Thanks 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×