Cross-browser techniques for disabling password caching

Question

Saving and auto-filing of username/password is a feature of most modern browsers. And the user can generally choose to disable this feature on a per domain basis. But is there a standard way for the site itself to prevent password caching?

The emphasis here is cross-browser, so I would employ multiple parallel mechanisms if necessary.

(I have seen caching be effectively disabled in the presence of non-standard login fields, eg, an extra hidden password field. But I'd rather not depend on side-effects whose behavior could unexpectedly change in the future.)

Conversely, are there browsers/versions out there that implement password caching without any disable feature?

Answer 1

Give the password input a randomly generated name that only you can recognize. Store that name, for example, in a hidden field, and then use that to get the inserted password. That way, even if the browser does cache the password, it won't be able to bring it back up next time the user visits.

Your users will likely at this point proceed to cache the passwords on a postit on the side of the monitor, but that's really a whole different battle.

The same method works well against spam, since most bots rely on finding common field names.

Answer 2

Add autocomplete="off" to your <input> elements. Works in all modern browsers, IIRC.

Answer 3

I would imagine that browsers save a form's fields when the form is submitted. What if you used AJAX to get the value of the password field, send it, then clear the field? The form would never actually be submitted, so the browser would, theoretically, never have an opportunity to save the values.

Answer 4

AFAIK, masked fields (ones that show '*' instead of the symbol you type) are never saved for autocomplete. Do you want to prevent the user from remembering the password to your site in the browser's password-saving facilities?