Most of the major browsers and password managers (correctly, IMHO) now ignore
Why? Many banks and other "high security" websites added
autocomplete=off to their login pages "for security purposes" but this actually decreases security since it causes people to change the passwords on these high security sites to be easy to remember (and thus crack) since autocomplete was broken.
Long ago most password managers started ignoring
autocomplete=off, and now the browsers are starting to do the same for username/password inputs only.
Unfortunately bugs in the autocomplete implementations insert username and/or password info into inappropriate form fields, causing form validation errors, or worse yet, accidentally inserting usernames into fields that were intentionally left blank by the user.
What's a web developer to do?
- If you can keep all password fields on a page by themselves, that's a great start as it seems that the presence of a password field is the main trigger for user/pass autocomplete to kick in. Otherwise, read the tips below.
- Safari notices that there are 2 password fields and disables autocomplete in this case, assuming it must be a change password form, not a login form. So just be sure to use 2 password fields (new and confirm new) for any forms where you allow
Chrome 34 unfortunately will try to autofill fields with user/pass whenever it sees a password field. This is quite a bad bug that hopefully they will change to the Safari behavior. However, adding this to the top of your form seems to disable the password autofilling:
<input type="text" style="display:none">
<input type="password" style="display:none">
I haven't yet investigated IE or Firefox thoroughly but will be happy to update the answer if others have info in the comments.