[Owasp-egypt] Autocomplete='off' Phasing Out

Mohab Ali mohabali at live.com
Wed Oct 15 06:43:01 UTC 2014

Hello Ahmed.

Another idea i have is to use textarea for the username instead of the input tag.
Wrote a little demo that should match the same look as input fields http://jsfiddle.net/51vkoj8p/

From: a.m.saafan at gmail.com
Date: Sun, 12 Oct 2014 09:26:45 +0200
To: owasp-egypt at lists.owasp.org
Subject: [Owasp-egypt] Autocomplete='off' Phasing Out

Now that autcomplete='off' HTML attribute is being phased out [1] [2] [3], I found people using some workarounds: 
Split username and password to separate pages:
This is the more elegant solution, adopted by security conscious websites. It
relies on the fact that browser autocomplete cannot catch username from one
page and password from another (with validation at the end). 

Move username and password values to hidden
fields before submit: This is a JavaScript workaround. Just before submit,
a script removes the values from the viewable form fields and move them to
hidden form fields. So the browser will not try to cache the displayed fields
because they are empty, and by default it will not cache the hidden fields.

Thoughts? Other suggestions? 


Owasp-egypt mailing list
Owasp-egypt at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-egypt/attachments/20141015/68238c8d/attachment.html>

More information about the Owasp-egypt mailing list