Autocomplete is a feature, which remembers submitted user names in login forms and also all words submitted through any forms in the system. In this topic though, we will focus only on the autocomplete functionality in login forms:
When users try to log in using a form, the autocomplete feature provides them with a list of already remembered user names. This is convenient for the users in many ways:
- The users do not have to type the whole user name every time they want to log in.
- If the users forget their user names, this feature can help them log in.
- It reduces discomfort of having to type the user names repeatedly on mobile devices.
However, using the autocomplete can pose a security risk. A malicious user who obtains user names from the autocomplete feature may gain access to the users’ accounts, for example using a dictionary attack. Thus, you should always consider the damage a malicious user can do to the users’ accounts. This threat mainly depends on the type of application you are creating and how this application will be used (on private computers only or in public places like schools, libraries, etc.).
You should disable autocomplete in applications working with:
- bank accounts,
- social media,
- sensitive information.
On the other hand, autocomplete can be useful in applications like:
- interest and hobby forums.
The autocomplete functionality can be disabled for the username input in login forms using the autocomplete HTML attribute:
<input name="Login1$UserName" class="LogonTextBox" id="Login1_UserName" type="text" maxlength="100" autocomplete="Off" />
To disable autocomplete in login forms:
- Open the Settingsapplication.
- Select the Security & Membership -> Protection setting tree item.
- Clear the Enable Autocomplete check box.
- Click Save.
Note: With autocomplete disabled, the system generates the autocomplete=“Off” attribute for username inputs in sign-in forms. However, handling of the attribute depends on individual browsers, configurations, used plugins, etc. Some client configurations and applications may use autocomplete features even when the attribute is set to off.