LiquidFiles Documentation
LiquidFiles Documentation

Password Autocomplete
Allowing Browsers to Remember Passwords

What do I need to do to disable password autocomplete?
In Short: To disable users from remembering passwords you need to turn the clock back to 2015.

Background

For a long time, there was a debate in the security community if it's better to permit browsers to remember passwords or not. The argument put simply was that some people believe that by not permitting users to automatically remember passwords, security will improve as it's not possible to attack the browser where the passwords are stored. Those opposed claimed that by giving users tools to remember passwords they are more likely to use better and more random passwords and that will improve security.

The Internet community as a whole has now decided that it's more secure to permit browsers to remember passwords (autocomplete=on) and modern browsers, starting with Internet Explorer 11, Firefox v38 and Chrome v34, will set automcomplete=on (permit browser to remember passwords regardless of setting). I.e. you cannot stop these browsers remembering passwords regardless of any setting you make. Please see the Mozilla Developers Guide for more information.

But my Vulnerability Scannner is showing this as a vulnerability?

To be blunt — you need a better/up-to-date security scanner!

There's two problems depending on how you want to look at it:

  1. First, the Internet as a community has decided that autocomplete=on improves security and modern browsers will turn it on regardless of what configuration you make (see above). So your scanner is not in-line with current security practices it should be updated/replaced with a scanner that follows modern security practices and won't report this as a security vulnerability.
  2. And secondly, if you use the JavaScript below to rewrite the webpage as the browser loads the page and your scanner is not picking this up, it means that it's not capable of actually rendering the web page as browsers see it. The solution in both of these cases is to get a better scanner.

But I really want to disable users from remembering passwords anyway!

Ok, if you're really, really convinced you want to disable users from saving passwords, the first step you need to do is to make sure that no user is using a browser that's been updated since 2015 (which obviously has other interesting security challenges).

To set the autocomplete off hint on all password fields in LiquidFiles, please add a Javascript override (in Admin → Configuration → Branding) like this:

$(function() {
  $('[type=password]').attr('autocomplete', 'off');
});

If you want to add this to other fields, please find the id of that field using the view source on the page. Lets say that you also want to disable the email/username field on the home page. View source reveals that it has an id of id="user_email". Adding to the Javascript override like this:

$(function() {
  $('[type=password]').attr('autocomplete', 'off');
  $('#user_email').attr('autocomplete', 'off');
});

This will set the password autocomplete off hint for all password fields, and fields with the id='user_email'.