How to stop a browser storing password values

1
votes

I am going through an old site adding autocomplete="off" onto passwords fields, ensuring they are hashed and so on to try and increase security.

However how can I stop passwords being stored if chosen by the user in the browser. As if someone left their computer unlocked they could easily get into an admin login due to the username and password being pre-filled even with autocomplete="off" on the input boxes.

I thought I could use JavaScript to check for the existence of a value in the password field (e.g when the browser fills it) and then remove it. But to check for a value you need to change the type of the input box to "text" and once you change it back to "password" the browser fills the boxes up again with values.

Is there anyway to stop this as I would have thought that this could be a security hole for those people who use the same passwords etc as you could just change the DOM element to text, view the value in plain text, then try on other sites the same value.

The code I was trying to use was this where

getEl = an old cross browser function for document.getElement DOM = my own DOM on load function

function clearPSW()
{
    var p=getEl('strPassword');
    p.setAttribute("type","text");
    console.log("value is " + p.value);
    // if I exit here without changing back BOTH username and password fields
    // remain blank - although the PSW field is now a text field.
    //return;
    if(p.value!="")
    {
        console.log("clear");
        p = "";     
    }
    // as soon as I do this the browser re-fills the input boxes!
    p.setAttribute("type","password");
}

DOM(function(){
    console.log("run DOM");
    setTimeout(1000,clearPSW());
});

Is there any method at all or is down to the user to be clever and not store passwords in browsers etc? Obviously I am trying to handle these insecure people and force them to re-enter their password each time.

Thanks!

3
javascripthtmlsecuritydompasswords
possible duplicate of How do you disable browser Autocomplete on web form field / input tag?Neil McGuigan

3 Answers

0
votes

Browsers such as Chrome now ignore autocomplete=off.

It is really up to the user whether they store passwords. If they do they should really lock the desktop when not at the computer and not share their OS account with others.

You could argue that turning autocomplete off means that the user will either pick a really simple to guess password or they will write it on a post-it note and stick it to the keyboard.

0
votes

Include a hidden password field before your "real" password field:

<input type="password" style="display:none"/>

<input type="text" name="username"/>

<input type="password" name="password"/>

This works!

0
votes

My solution is:

  1. Change type of that input inside HTML from type="password" to type="text"

  2. Write script that changes type of that input from type="text" to type="password"

    suppose that input has id="pwd". Then:

    document.getElementById('pwd').setAttribute('type', 'password')

  3. Make a delay for calling this function (because if you would not, most browsers would still insert their cached password. My browser stops doing that when delay is > 1400):

setTimeout( () => document.getElementById('pwd').setAttribute('type' 'password') , 1500)