WeBWorK Main Forum

Setting login form autocomplete to off

Re: Setting login form autocomplete to off

by Chuck Johnson -
Number of replies: 0
Hi Glenn,

Thank you for your detailed response.

I just had a conversation with my boss regarding the setting. He said as long as we have a record of the issue and its status, it should be OK.

I don't know what tool DHS - CISA uses, but it obviously looks at the autocomplete setting. I would hope they would know about browsers not honoring the setting, but it makes me curious then why they flag it as an issue.

I did find a webpage that states that if the autocomplete tag is not included, it is assumed that it is on. Not that don't already know this, but just for completeness: https://www.invicti.com/blog/web-security/impact-autocomplete-feature-web-security/. I also found a site discussing best practices for login forms. The recommendation on that site is to use autocomplete="current-password" for sign-in forms and autocomplete="new-password" for new and reset password forms: https://web.dev/articles/sign-in-form-best-practices and https://www.chromium.org/developers/design-documents/form-styles-that-chromium-understands/.

At any rate, thank you for your time and explanation, I truly appreciate it!

Chuck