Confusion over AUTOCOMPLETE=OFF attributes in HTML forms


Before HTML5 location and scope of the autocomplete attribute was not really standardized, which causes some confusion both among programmers and pentesters.

The autocomplete attribute iwill disable browser autocompletion in HTML forms when rendered by compliant browsers. It should be applied to fields containing sensitive data (passwords, credit card numbers) to prevent browsers from storing them in insecure storage for future autocompletion.

There's however some confusion about location of the autocomplete attribute. Before HTML5 it was not standardized and the attribute implementation resembled rather a quick hack, with important consequences when you tried to use it as an audit reference.

  • This Mozilla article (dated 2003) only mentions the attribute in scope of the whole FORM tag and it doesn't say anything about INPUT tags.
  • Another Mozilla article (undated) discusses issues with HTML4/XHTML validation (and a large thread on StackOverflow).
  • This Microsoft article (2010) mentions both locations — you can disable autocompletion for the whole FORM, or at individual INPUT fields.
  • In HTML5 it's finally standardized, and allowed at both locations — FORM and INPUT. But HTML5 is not a published standard as of today.

This confusion has real consequences, especially if you go into the world of compliance and security testing. I've started investigating the whole topic when IBM AppScan reported an issue on a FORM that did contain autocomplate=off attribute, but individual INPUT didn't:

The page is vulnerable since it does not set the "autocomplete" attribute to "off" when the "password" field is part of the "input" element. This may enable an unauthorized user (with local access to an authorized client) to autofill the username and password fields, and thus log in to the site.

Conclusion? You shouldn't probably even bother analysing compliance of the AUTOCOMPLETE attribute. If you're a programmer just use it at whatever way that makes sense (INPUT or FORM). If you're pentester just check if it's where sensitive data is, and be skeptical to what automated scanners would report.

There's another topic around autocompletion with lots of confusing on security community — password managers. The citation from AppScan presents "classical" view on this — browsers should never cache passwords. But is it really justified? If you're using a computer in Internet face your passwords should definitely not be stored there. But what about your tablet or laptop? My intuition here would be that password managers actually increase user password security, because they allow you to use complex random passwords, different for each site &mdas; unlike just relying on memory in case of 99,9% users.

Browser behaviours are even less standardized here — for example, quite popular LastPass password manager will consiously ignore autocompletion attribute, unless explicitly configured to respect them. In which case, obviously, it will not fill in these passwords.