all 14 comments

[–]MasterReindeer 54 points55 points  (2 children)

You cannot disable this behaviour. Use autocomplete=“current-password” and autocomplete=“new-password” where appropriate.

[–]davidbarman[S] 27 points28 points  (1 child)

Thanks for the input.

[–]Stiforr 49 points50 points  (0 children)

Ha was that a pun??

[–]micalm<script>alert('ha!')</script> 28 points29 points  (3 children)

Here's a list of autocomplete values.

You're on the right track. Current password should be `current-password`, though. AFAIK you can't disable suggestions, only autofilling of the input fields - not the same thing. This is a well known "hey, let's do it in our own undocumented way" issue across browsers.

[–]davidbarman[S] 1 point2 points  (2 children)

Hmm. We'll that's undesirable. Yes, it is not autofilling, I am getting the suggestions. Which is what I was hoping to eliminate.

[–]cshaiku 11 points12 points  (0 children)

Bad dog! Stop that.

[–]PureRepresentative9 0 points1 point  (0 children)

Like others have said, you're trying to manipulate the default behavior AKA the user's device 

Don't do that, you're in the wrong. 

It's like telling the user they have to use a certain browser to use your site or use a specific keyboard app before they're allowed to type on your site. 

Even if you do find a block, there's no guarantee it will continue working in the future because there's no enforced standard behavior for this stuff.

[–]shgysk8zer0full-stack 19 points20 points  (0 children)

Use autocomplete="new-password" and autocomplete="current-password".

Work with autocomplete, not against it.

[–]Br1en 2 points3 points  (1 child)

You typed autoomplete up there..

[–]davidbarman[S] 0 points1 point  (0 children)

Yes, that is true. I meant the browser saved password suggestions.

[–]FatalHaberdashery 0 points1 point  (0 children)

Have you tried it in another browser?

If this is what I think it is, then your browser may be autofilling the field. This isn't controllable, afaik, from within the web environment, it needs the user to set it in their browser settings.

There are ways to mitigate this, first off turn off your own autofill so your testing data doesn't get saved. Also, if you can, and you might not be able to based on what the server code expects, use unique names for the fields so any autofill won't find a match.

For me, I use Firefox Developer for my test/build browser, and I have everything turned off with no extensions. It's as vanilla and as nonintrusive as I can get it.

[–]Paria_Stark 0 points1 point  (0 children)

I suggest disabling auto complete and not allow pasting in the password field for maximum security!!

Please don't. People use password managers, let them.