Disable autocomplete

    In 1999, for the first time in Microsoft’s IE 5 browser, Microsoft implemented auto-completion of text fields in forms, which allowed you not to enter the text that you already entered into the field with the given name (including on another site). Then a custom tag extension appeared: autocomplete attribute, setting it to off allowed to disable this functionality for a specific field. Now all popular browsers (suggested that besides Opera) support autocomplete and this attribute. It is also introduced in the HTML 5 standard. However, website developers often neglect it.

    Credit cards

    The most important place to use it is the credit card number entry field. It should be remembered that the browser remembers all the values ​​entered in this field. For example, Firefox 3.5.x does this in the formhistory.sqlite file in the user profile, where they lie in the clear. Setting a master password in the Firefox password manager does not encrypt this file, and I did not find the extensions that would do this (tell me if you know these). I often use web shops and, having entered in the search in my favorite file viewer the first four digits of my card number (which, by the way, are the same for all cards of my bank), I found five copies of the card number under different field names: cc_number, cregit_num , CARDNUM, ctl00 $ cphBody $ txtCardNumber and cardnr. Within visibility in three cases, I found a cardholder name, in two cases, expiration date (often it is suggested to choose from the drop-down list, therefore it is not always remembered), in four cases the CVV code. I note that not all shops need a CVV code; in many it is possible to successfully buy without entering it.

    This means a simple thing: a person with a trained eye will need about two minutes of access to an unlocked computer in order to steal the credit card number from which you used to buy something. There is even nothing to say about the expanse for trojans. At the same time, I don’t see a simple way to clean it all at once without touching the other autocomplete fields: I need to look for the sqllite database editor, install an addon for managing forms (for example, Form History Control - thanks to Source ) or delete it from the field on all relevant sites (and who remembers them) ?). I temporarily solved the problem by creating an HTML file of such content: Having opened it in the browser, I clicked “down” and “delete” in each field. Immediately after this, the card numbers disappeared from formhistory.sqlite.

    If your site asks for information about the card, be sure to add the autocomplete="off"number, card holder and cvv code to the input field. It would be great to see support from browsers as well. For example, an extension for Firefox that allows you to selectively save text in accordance with a regular expression. For the card number, everything is simple: we do not save 16 digits in a row. I don’t remember that I entered any other 16-digit numbers that I would like to remember in autocomplete. Encrypting autocomplete data using a master password would also be appropriate.


    This is not a security issue, but it is often annoying. If your site offers to enter captcha, auto-complete must be turned off, because it still does not repeat. I even saw this on Google:

    Own autofill

    If you yourself have implemented autocomplete (for example, with loading options through Ajax), then do not forget to disable the browser. Usually they don’t forget, but I came across this, for example, on the Wikiled website : The

    upper version was proposed by the browser, and the lower ones were autocompleted by the website itself (some kind of hint about the on-screen keyboard also got in). As a result, using site autofill is very difficult, especially from the keyboard, as the browser intercepts the arrows.

    In general, moral: for each text field that you create, on the machine, figure out whether the user will benefit from autocomplete in this field. If not, turn it off. By the way, the default autocomplete can be disabled for the entire form using
    , and then, if necessary, enable for individual fields.

    Upd: In order for the XHTML document to pass W3C validation , you can extend the DTD, for example, like this:


    </head><br> <body><br> <div><input type="text" autocomplete="off" name="test"/></div><br> </body><br> </html></code></div> </div> <dl class="post__tags"> <dt class="post__tags-label">Теги:</dt> <dd class="post__tags-list"> <ul class="inline-list inline-list_fav-tags js-post-tags"> <li class="inline-list__item inline-list__item_tag"><a href="/?q=html">html</a></li> <li class="inline-list__item inline-list__item_tag"><a href="/?q=безопасность">безопасность</a></li> </ul> </dd> </dl> </div> </div> </div> </main> </body> </html>

    Also popular now: