Sign in Subscribe
Security Tips

Security Tip: HTML autocomplete Attribute

[Tip#52] HTML has a lot of hidden gems, and the `autocomplete` attribute is no exception. Lets take a look at how it helps your password fields and password managers work together!

Stephen Rees-Carter

Stephen Rees-Carter

2 min read
Security Tip: HTML autocomplete Attribute

The HTML autocomplete attribute is an incredibly useful attribute from a security point of view, as it allows you to help password managers interact with password fields. This makes it easier for users to generate and use secure passwords, keeping their accounts (and your app) more secure. It’s also incredibly easy to add to existing projects, making it easy to implement with minimal, if any, side affects.

<input type="password" ... autocomplete="<VALUE>">

Let’s take a look at the options you want:

autocomplete="new-password"

Instructs the browser to not autofill anything into this field, but instead wait for a new password. This makes it harder to accidently reuse passwords across apps. This should be used on both the New Password and Confirm Password fields.

Some browsers and password managers will prompt to create and store a new secure password in this field, which makes creating accounts with secure passwords super easy.

autocomplete="current-password"

Instructs the browser to autofill the known current password for the site. Making the login process easy.

This works well when used alongside the autocomplete="username" or autocomplete="email" attribute on your username/email field.

autocomplete="one-time-code"

Identifies One-Time-Password (OTP) fields, such as for Multi-Factor Authentication (MFA) via SMS, or App codes.

Some password managers, like 1Password, allow you to store App-based MFA tokens, so they can autofill during the login flow. (I believe SMS OTP tokens can also be autofilled on iOS?)

autocomplete="off"

As a special mention here, this setting is often requested on penetration tests and older compliance standards. However it is ignored by many browsers/password managers on password fields because it goes against modern password recommendations.

💡
Preventing autocompleting passwords encourages users to reuse terrible passwords and is terrible advice. If your penetration test recommends disabling autocomplete for passwords, you really need to find a better company to do your next test.

(No, I’m not just saying this because I do penetration tests🤣)

There are also a bunch of `cc-*` attributes that relate to collecting credit cards, which allows the browser to safely autofill card detail. I’m not going to cover them here, but if you’re collecting card details manually, you can check those out at the MDN Docs.t

Read more