Auto Complete Enabled Password Input
Impact: Low
Description
Enabling autocomplete for password input fields allows browsers to save and autofill sensitive information, such as passwords. This poses a security risk, particularly on shared or public computers, where unauthorized users may access saved credentials.
Recommendation
Disable autocomplete for sensitive form inputs by adding the attribute autocomplete="off"
to password input fields. This prevents browsers from saving and autofilling passwords, enhancing security.
References
- CWE-16
- Mozilla Developer Network (MDN) Web Docs: autocomplete attribute
- OWASP 2021-A5
- OWASP: Secure Coding Practices Quick Reference Guide
👉 You might also like:
Password Input on HTTP - Vulnerability
Password Sent in HTTP Query - Vulnerability
Password Sent Over HTTP - Vulnerability
Cookie Accessible for Subdomains - Vulnerability
Last updated on May 13, 2024