Explain Codes LogoExplain Codes Logo

How do you disable browser autocomplete on web form field / input tags?

html
autocomplete
browser-security
form-handling
Alex KataevbyAlex Kataev·Oct 3, 2024
TLDR

Switching off form field auto-fill can be done by setting autocomplete="off":

<input type="text" autocomplete="off">

This directive immediately halts the browser from suggesting previously entered values. Place it wherever auto-fill isn't required.

Browsers' behavior and security measures require a closer look when tampering with autocomplete. Modern browsers like Chrome and Firefox can ignore autocomplete="off" in password fields, due to internal mechanisms striving to enhance user experience.

An alternative method to prevent this is autocomplete="new-password" specifically for passwords:

<input type="password" autocomplete="new-password">

Deeper strategies such as randomizing field names or inserting dummy text and password inputs can override the browser's heuristics. For tighter control, the readonly attribute can be used, which becomes editable on focus:

<input type="text" autocomplete="off" readonly onfocus="this.removeAttribute('readonly');">

These complications can optimize form handling, but consider the implications on usability and accessibility.

In-depth understanding

Autocomplete behavior unpacked

As a response to security concerns, browers may continue to support auto-filling data despite having autocomplete="off", this is mostly due to the password manager's persistence. They claim usability advantages and protection against phishing attacks.

The following methods can offer better control over autofill:

  • UUIDs for field names: UUIDs can be used to randomize input names, discouraging browsers to autofill fields.

  • Password field isolation: Creating a separate form for password inputs or placing two password fields can trick browsers, especially Safari, to bypass autofill.

  • Use hidden inputs: Fool the browser by placing hidden text and password input fields before the real fields.

  • Apply readonly dynamically: Make input fields readonly and remove it with JavaScript when the field gets focused, preventing most browser autofills:

<input type="text" autocomplete="off" readonly onfocus="this.removeAttribute('readonly');" onblur="this.setAttribute('readonly', true);">

Tips for advanced form handling

Beyond simple autocomplete settings:

  • Trigger focus post blur: A mobile-friendly technique to manage the keyboard trigger, especially in mobile Safari.

  • Cross-browser compatibility: Always validate your solution across different browsers. Investigate form behavior via Developer Tools.

  • Clear browser cache: Ensure consistency by regularly clearing your browser's cache. Form data may not disappear with your settings due to cache persistence.

The security paradox

Implementing autocomplete=off may paradoxically reduce security, as users may resort to less secure passwords if they have to remember multiple ones. Always consider this paradox when deciding to disable autocomplete.

Common scenarios and fixes

Possible situations where autofill is stubborn:

  • Adjacent text fields: Browsers may autofill adjacent text fields before a password field. Consider reordering or isolating these fields.

  • Multiple password fields: In forms with multiple password inputs, browsers may insist on autofilling all fields, especially in sign-up pages.

  • Validation errors: Incorrect autofill data could lead to validation failures. Plan your code's response to these instances.

Enhanced security measures

Incorporating randomized field names or additional hidden fields not only discourages autofill but also strengthens defenses against XSRF threats. A multi-layered approach ensures functionality doesn't compromise security.