Pete FreitagTurn off autocomplete for credit card input
By Pete Freitag
Memo to web developers building sites that accept credit card numbers:
Always, always set autocomplete="off" in the input tag. For example:
<input type="text" name="cc" autocomplete="off" />
Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere). This is especially dangerous if someone enters their credit card number from a public computer.
The only downside to using this attribute is that it is not standard (it works in IE and Mozilla browsers), and would cause XHTML validation to fail. I think this is a case where it's reasonable to break validation however.
I have been mentioning this to people a few years, but I just realized that I have never blogged about it.
While this entry was first written back in 2005, these days the autocomplete attribute can do a lot more then it could back then. You can use it to specify what type of field you have, so for example you can now say autocomplete="cc-number" to denote a credit card number field.
If you are in fact interested in browser security features, then you should also take a look at content security policy or CSP. One feature relating to forms is the CSP form-action directive which can control to what urls a form can be submitted on your site. It has a lot of features that you as a web developer can utilize to make a more secure browsing environment for your visitors.
Turn off autocomplete for credit card input was first published on October 07, 2005.
If you like reading about html, security, form, autocomplete, or credit cards then you might also like:
Weekly Security Advisories Email
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).
Comments
Sites which reject autofull, really do not help users, I think: if you do not presume to remember to a browser the password, you, more possibly, will use the easy password, or to place the sticky note concerning your monitor. How it does a banking online by more safe?
you can manually delete the autocomplete entries: 1) Press Alt+Down Arrow 2) Select the autocomplete entry to delete with your mouse or my pressing the Down Arrow key 3) Press the Delete key
First page ( HTML Form ) :
<form method="post">
<input type="hidden" name="username" value="random1">
<input type="hidden" name="password" value="random2">
Username: <input type="text" name="random1" value=""><br />
Password: <input type="password" name="random2" value="">
</form>
Where "random1" and "random2" are random names generated, you can use in combination with unix time.
Second page ( PHP output ) :
<?php
if ( isset($_POST['username'], $_POST['password']) &&
isset($_POST[$_POST['username']], $_POST[$_POST['password']]) ) {
echo 'Username: '.$_POST[$_POST['username']].'<br />'.
'Password: '.$_POST[$_POST['password']];
}
?>
With this simple solution you will don't worry about autocomplete anymore in any browser.
As for injecting it using JS to keep your sites standards compliant - that's just stupid. What's the point in making a standards compliant site, which javascript then messes up by injecting extra non-standard attributes? It would be more reliable and compatible, to simply hard-code the attribute into the HTML, then just ignore the validator warning.
i tried elem.setAttribute("autocomplete","off");
but it is not working.
can u help me with this
<script type="text/javascript">
function clearCC()
{
document.getElementById('ccnum').value = "";
}
window.onload = clearCC;
</script>
try this code but i didn't check it. i just wrote it here :) .. any problem you may contact me at msn adn_ahsan(at)hotmail(dot)com .. I am web programmer if any of you need any solution just contact me.
Thanks
autocomplete="off".
Thanks Friend...
I've written an article over at http://www.securatek.net/2011/09/16/why-browser-autocomplete-is-bad-for-security/ that explains exactly why browser autocomplete is bad for security.