Is there a valid way to disable autocomplete in a HTML form?
To disable the form autocomplete, apply autocomplete="off" directly to your <input> elements. For more security in fields like passwords, alter the name attribute value each time the form is loaded.
Beware! Some browsers may ignore this setting in favor of a better user experience.
Striking a balance: security vs standards
Standards such as those defined by the World Wide Web Consortium (W3C) are important, but don't let them handcuff your security efforts. When it comes to sensitive data, it's okay to bend the rules a bit in favor of safety.
Browsers and HTTPS: an implicit benefit
Have you noticed how some browsers automatically disable autocomplete for HTTPS sites? That's not a surefire rule, but it's a lovely bonus!
Scripting autocomplete: JavaScript to the rescue
If you want to ensure the autocomplete attribute is set to 'off' across all browsers, use a bit of JavaScript to dynamically apply the setting on form load.
Field name roulette: randomizing for security
Browsers are smarter than you think. They remember field names to predict what information they'll need next time. Randomize your field names to throw their predictive logic for a loop.
Even amazon does it: successful use cases
Need some inspiration? Look at Amazon. They use autocomplete successfully with their forms. If it's good enough for them, it's certainly worth considering for your site.
The user experience: balancing act in design
Keep in mind, while disabling autocomplete does improve security, it can get in the way of user usability. Striking a balance is key, but when in doubt, go for security.
Important regulations: compliance isn't an option
For certain industries like finance and healthcare, disabling browser autofill isn't just a good idea—it's mandatory!
W3C warnings are like your mother-in-law
Sometimes you just have to nod, smile, and carry on with your plans. In other words, ignore the warnings when they get in the way of a more secure user experience.
Was this article helpful?