views:

6453

answers:

13

One of the joys of working for a government healthcare agency is having to deal with all of the paranoia around dealing with PHI (Protected Health Information). Don't get me wrong, I'm all for doing everything possible to protect people's personal information (health, financial, surfing habits, etc.), but sometimes people get a little too jumpy.

Case in point: One of our state customers recently found out that the browser provides the handy feature to save your password. We all know that it has been there for a while and is completely optional and is up to the end user to decide whether or not it is a smart decision to use or not. However, there is a bit of an uproar at the moment and we are being demanded to find a way to disable that functionality for our site.

Question: Is there a way for a site to tell the browser not to offer to remember passwords? I've been around web development a long time but don't know that I have come across that before.

Any help is appreciated.

Thanks, Matt

A: 

Not really - the only thing you could realistically do is offer advice on the site; maybe, before their first time signing in, you could show them a form with information indicating that it is not recommended that they allow the browser to store the password.

Then the user will immediately follow the advice, write down the password on a post-it note and tape it to their monitor.

Jason Bunting
+40  A: 

I'm not sure if it'll work in all browsers but you should try setting autocomplete="off" on the form.

<form id="loginForm" action="login.cgi" method="post" autocomplete="off">

The easiest and simplest way to disable Form and Password storage prompts and prevent form data from being cached in session history is to use the autocomplete form element attribute with value "off".

From http://developer.mozilla.org/En/How_to_Turn_Off_Form_Autocompletion

Some minor research shows that this works in IE to but I'll leave no guarantees ;)

@Joseph: If it's a strict requirement to pass XHTML validation with the actual markup (don't know why it would be though) you could theoretically add this attribute with javascript afterwards but then users with js disabled (probably a neglectable amount of your userbase or zero if your site requires js) will still have their passwords saved.

Example with jQuery:

$('#loginForm').attr('autocomplete', 'off');
Markus Olsson
+1  A: 

Is there a way for a site to tell the browser not to offer to remember passwords?

The website tells the browser that it is a password by using <input type="password">. So if you must do this from a website perspective then you would have to change that. (Obviously I don't recommend this).

The best solution would be to have the user configure their browser so it won't remember passwords.

Joseph Pecoraro
How is it obvious that you do not recommend changing a input type field? An elaboration of security issues would be helpful.
Karl
@karl: because having to type the password in the open allows "shoulder surfing", the process of gleaning a password by looking at the screen whil it is being typed.
David Schmitt
Not just human shoulder surfing, but spyware or viruses can watch your screen and see what has been typed in plaintext fields.
Karl
@karl: If you've got spyware/virus on your computer then no amount of asterisk protection is going to save you. It's no more difficult for an installed app to intercept what's being typed into a 'password' field than it is to do the same for a plain-text field.
Markus Olsson
A: 

One way I know is to use (for instance) JavaScript to copy the value out of the password field before submitting the form.

The main problem with this is that the solution is tied to JavaScript.

Then again, if it can be tied to JavaScript you might as well hash the password on the client-side before sending a request to the server.

Huppie
+2  A: 

Markus raised a great point. I decided to look up the autocomplete attribute and got the following:

The only downside to using this attribute is that it is not standard (it works in IE and Mozilla browsers), and would cause XHTML validation to fail. I think this is a case where it's reasonable to break validation however. (source)

So I would have to say that although it doesn't work 100% across the board it is handled in the major browsers so its a great solution.

Joseph Pecoraro
i'm having this problem of validating as per the w3c standards. The thing is I want this functionality for a Mobile banking website. I've an assumption that mobile browsers are strict enough and may sometimes mess up the form if some invalid attribute is being used. What do you recommend in this case?
torrtruk
I think that is an old style of thinking. Many recent mobile browsers are built off of WebKit and either support or gracefully ignore this attribute. I am not aware of how other countries, or browsers in older cell phones handle this but gracefully handling attributes / elements that are not known is fundamental to the a good browser. It "future proofs" the browser to not break as the web evolves. It may fall behind (not implementing new features) but it won't break. Hope that helps =)
Joseph Pecoraro
+4  A: 

You can prevent the browser from matching the forms up by randomizing the name used for the password field on each show. Then the browser sees a password for the same the url, but can't be sure it's the same password. Maybe it's controlling something else.

update: note that this should be in addition to using autocomplete or other tactics, not a replacement for them, for the reasons indicated by others.

Joel Coehoorn
A: 

@Joel that might prevent the form from being auto-populated but would that prevent the browser from then asking to save the password for this supposed new form?

Joseph Pecoraro
A: 

@Markus - Thanks for the direction. It seems that using AutoComplete with web forms would be the best avenue to pursue.

@All - While everyone's answers were directed to the question that I asked, I kind of asked the wrong question. We are using Windows Authentication and the browser interaction is a little different. I will probably be posting a new question shortly.

Thanks everyone!

mattsmith321
+1  A: 

The website tells the browser that it is a password by using <input type="password">. So if you must do this from a website perspective then you would have to change that. (Obviously I don't recommend this).

If you don't use <input type="password">, then wouldn't the browser default to storing the password as an ordinary autocomplete (in the clear, in other words)?

Chris Upchurch
+2  A: 

Use real two-factor authentification to avoid the sole dependency on passwords which might be stored in many more places than the user's browser cache.

David Schmitt
+1  A: 

What I have been doing is a combination of autocomplete="off" and clearing password fields using a javascript / jQuery.

jQuery Example:

$(function() { 
$('#PasswordEdit').attr("autocomplete", "off");
setTimeout('$("#PasswordEdit").val("");', 50); 
});

By using setTimer() you can wait for the browser to complete the field before you clear it, otherwise the browser will always autocomplete after you've clear the field.

Howard Young
@Howard: you can format your code by selecting it in the editor and pressing Control-K.
John Saunders
+1  A: 

I had been struggling with this problem a while, with a unique twist to the problem. Privileged users couldn't have the saved passwords work for them, but normal users needed it. This meant privileged users had to log in twice, the second time enforcing no saved passwords.

With this requirement, the standard autocomplete="off" method doesn't work across all browsers, because the password may have been saved from the first login. A colleague found a solution to replace the password field when it was focused with a new password field, and then focus on the new password field (then hook up the same event handler). This worked, except it caused an infinite loop in IE6. Maybe there was a way around that, but it was causing me a migraine.

Finally, I tried to just have the username and password outside of the form. To my surprise, this worked! It worked on IE6, and current versions of Firefox and Chrome on Linux. I haven't tested it further, but I suspect it works in most if not all browsers (but it wouldn't surprise me if there was a browser out there that didn't care if there was no form).

Here is some sample code, along with some jQuery to get it to work:

<input type="text" id="username" name="username"/>
<input type="password" id="password" name="password"/>

<form id="theForm" action="/your/login" method="post">
  <input type="hidden" id="hiddenUsername" name="username"/>
  <input type="hidden" id="hiddenPassword" name="password"/>
  <input type="submit" value="Login"/>
</form>

<script type="text/javascript" language="JavaScript">
  $("#theForm").submit(function() {
    $("#hiddenUsername").val($("#username").val());
    $("#hiddenPassword").val($("#password").val());
  });
  $("#username,#password").keypress(function(e) {
    if (e.which == 13) {
      $("#theForm").submit();
    }
  });
</script>
Mike Stone
A: 

The website tells the browser that it is a password by using type="password".

So, we just need to make unwanted fields invisible like this:

...
<form action="url" method="post">

<!-- prevent autopaste { -->
<div style="display: none;">
   <input name="l" type="text" />
   <input name="p" type="password" />
</div>
<!-- } -->

    <table>
        <tr>
            <td>signup_nick</td>
            <td><input name="login" type="text" value=""/></td>
...

If we want to prevent browser ‘Save Password’ functionality - just use JS & AJAX like google :)

Porter