Turn off auto complete on password textbox

Turn off auto complete on password textbox

by Anthony Nguyen -
Number of replies: 6

I am creating a form that has 2 fields of type textbox and password. 

$mform->addElement('text', 'username', get_string('onepay_username', 'admin'), $editoroptions)->setValue( array('text' => $username) );
$mform->addRule('username', get_string('onepay_username_invalid', 'course'), 'required', null, 'client');
//$mform->setType('username', PARAM_RAW);

$mform->addElement('password', 'password', get_string('onepay_password', 'admin'), $editoroptions)->setValue( array('text' => $password) );
$mform->addRule('password', get_string('onepay_password_invalid', 'course'), 'required', null, 'client');
//$mform->setType('password', PARAM_RAW);


One problem I have encountered is the password field keeps being auto-filled.


Can anyone tell me how to disable auto-complete please? Thanks.

Average of ratings: -
In reply to Anthony Nguyen

Re: Turn off auto complete on password textbox

by Alex Noble -

I think the admin settings have an option for autocomplete referenced as loginpasswordautocomplete

It is a tickbox that when selected stops the browser being able to use autocomplete but I would guess it is adding the html form tag autocomplete="off"

/admin/search.php?query=autocomplete

Average of ratings: -
In reply to Anthony Nguyen

Re: Turn off auto complete on password textbox

by Richard Oelmann -
Picture of Core developers Picture of Plugin developers Picture of Testers

I believe there was a discussion around this issue - i want to say not long ago, but it may have been last year - where ir was raised that this is in fact a browser function (Chrome?), rather than a moodle specific one?

Average of ratings: -
In reply to Anthony Nguyen

Re: Turn off auto complete on password textbox

by Marina Glancy -
Picture of Core developers Picture of Moodle HQ Picture of Moodle Workplace team Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Testers

Hello,

we have faced the same problem with standard fields that store shared secrets that are not passwords but should not be visible.

Unfortunately latest versions of browsers completely ignore autocomplete=off and still populate <input type="password"> with the password.

There were several attempts to trick the browsers and yet browsers would release new versions and ignore all our tricks again.

In the end special form element 'passwordunmask' was added in MDL-53048 (Moodle 3.2) to both moodleforms and admin settings.


If you develop plugin for Moodle 3.1 or earlier there is no neat solution unfortunately. You can choose to use 'text' field if you really don't want autocomplete

Average of ratings: -
In reply to Marina Glancy

Re: Turn off auto complete on password textbox

by Anthony Nguyen -
I've found a workaround to bypass autocomplete. I set some default value for the password textbox. Amazingly that Google Chrome ignores all texboxes that have default values set.
Average of ratings: -
In reply to Marina Glancy

Re: Turn off auto complete on password textbox

by Rob P -

I've noticed this is a problem for anyone editing user profiles too. The username and password gets automatically filled in to the Address and User Salt fields at the end of the page.

example

This can lead to the editing user's username and password being leaked if they're not attentive because the user salt is displayed when you view the user's profile after.

example2

I've noticed this as a problem since our site was 2.9, we're currently on 3.3 and it's still present.

Average of ratings: -
In reply to Marina Glancy

Re: Turn off auto complete on password textbox

by gautam Das -

Hello,

I have found a function prevent_form_autofill_password() in /lib/weblib.php in moodle version 2.7 to 3.1

Moodle has been tried to fix this issue using this function.

I have added some html elements into this function in moodle version 3.1. The changed function has been written as:

function prevent_form_autofill_password() {
    return '<div class="hide"><input type="text" class="ignoredirty" /><input name="username" class="ignoredirty" /><input type="password" name="password" class="ignoredirty" /><input type="password" name="newpassword" class="ignoredirty" /></div>';
}

Now, its prevent browsers from automatically inserting the user's password into the form fields. It works....


Average of ratings: Useful (1)