Prevent browser from remembering credentials (Password) Prevent browser from remembering credentials (Password) angularjs angularjs

Prevent browser from remembering credentials (Password)


if a site sets autocomplete="off" for a form, and the form includes username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits this page.

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

You should also set autocomplete="off" on your input as well as your form.

Google Chrome release notes:

The Google Chrome UI for auto-complete request varies, depending on whether autocomplete is set to off on input elements as well as their form. Specifically, when a form has autocomplete set to off and its input element's autocomplete field is not set, then if the user asks for autofill suggestions for the input element, Chrome might display a message saying "autocomplete has been disabled for this form." On the other hand, if both the form and the input element have autocomplete set to off, the browser will not display that message. For this reason, you should set autocomplete to off for each input that has custom auto-completion.


I would suggest using Javascript to create a random number. Pass that random number to your Server Action using a hidden field, then incorporate that random number into the names of the "login" and "password" fields.

E.g. (psuedo code, the exact syntax depends on whether you use PHP, jQuery, pure Javascript, etc.)

<script>var number = Math.random();var login_name = 'name_'+number;var pass_word = 'pass_'+number;</script><input name='number' value="number" type='hidden'><input name="login_name" type='text'><input name="pass_word" type='password'>

Your server reads the "number" field, then uses that to read "name_"number value and "pass_"number value.

It won't matter whether or not the user saves their password in the browser, since every time the user logs in, the name and password fields will be different.


Since you're using AngularJS, you can leave the field unnamed, and access the data it contains through the model :

Login: <input ng-model="login" type="text" />Password: <input ng-model="password" type="password" autocomplete="off" />

and in your javascript file :

$scope.doLogin = function() {    var dataObj = {        login: $scope.login,        password: $scope.password    };    var res = $http.post('/login', dataObj);}

Tested in IE10 and Chrome 54