Re: [whatwg] Password managers ignoring autocomplete='off' harming security

On Thu, Oct 2, 2014 at 3:12 AM, Dan Poltawski <> wrote:
> The most basic case of autocompleting on the same site is the one
> which is most problematic for us.
> A traditional username/password to login to the site with autocomplete
> enabled and functioning as expected - but then after the user has
> logged in, they do something on a page with one of these (i'll now
> call) masked fields, and without them noticing - that field is
> autocompleted with their login password. Previously we could prevent
> that behaviour by disabling autocomplete on these fields.
> Note a more traditional example of this which might affect more sites
> is something like a 'create new user' form where the password would be
> erroneously set to the password of the user who is creating the
> accounts. has some
ways of managing autofill. I'm not sure how much of it is implemented.
>From that it seems you could use autocomplete=new-password, although
if that works as advertized it would have the problem Daniel Cheng
mentioned, so perhaps it's only used as heuristic.


Received on Thursday, 2 October 2014 06:49:24 UTC