Turn off autocomplete for credit card input
Memo to web developers building sites that accept credit card numbers:
Always, always set
autocomplete="off" in the
input tag. For example:
<input type="text" name="cc" autocomplete="off" />
Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere). This is especially dangerous if someone enters their credit card number from a public computer.
The only downside to using this attribute is that it is not standard (it works in IE and Mozilla browsers), and would cause XHTML validation to fail. I think this is a case where it's reasonable to break validation however.
I have been mentioning this to people a few years, but I just realized that I have never blogged about it.
- RecomendaciÃƒÂ³n para los formularios para tarjetas de crÃƒÂ©ditos Tinta Fantasma
- Autocompletar y la informaciï¿½n sensible Tranquilidad
worked for FF 3.5 like a breeze :)
So, please, let the users decide. It's not your decision!
It's "embedded," sweetheart.
Also, don't use iFrames.
Also, girls don't code.
Unfortunately, browsers don't tend to let you turn on autocomplete *sometimes*. You turn it on or off. As a user, I would appreciate sites turning off autocomplete on fields relating to credit cards, for example. As a programmer, I would prefer to turn off autocomplete for the same fields to avoid problems. You cannot assume that users will even know how to turn off autocomplete in their browser. Just because someone is buying something online does not mean that they know ANYTHING about computers other than how to go to a web page and type their CC info.
In summary, I believe that there should be a standard for disabling browser autocomplete. It's not a usability nightmare as some people have mentioned. It's a security measure. If my credit card number isn't stored in my browser's autocomplete, that's not an inconvenience, it's a relief.
Some good points made from standards perspectives BUT forms are different from what we normally do (which is push information). Forms PULL information.
With autocomplete, we might inadvertantly push what was pulled.
Now consider this: the user is not always whom we think they are. The user might not be whom we intend them to be.
Disabling autocomplete therefore protects the data and the user community. "Do what's good for the user" now includes their online security.
Credit Card Application
Buying things on the web or in-store? which often would you prefer? just wondering lol.. i love in-store because i hate waiting for it to come!
I've written an article over at http://www.securatek.net/2011/09/16/why-browser-autocomplete-is-bad-for-security/ that explains exactly why browser autocomplete is bad for security.
If you set autocomplete to be anything besides "on" or "off" it will actually disable Chrome autofill
- CFSummit 2016 Slides
- Securing Legacy CFML - dev.Objective() 2016 Slides
- My CFSummit 2015 Slide Decks
- Adding Chrome Custom Search for CFDocs
- Disable Flash Remoting on ColdFusion Servers
- HackMyCF Adds SSL/TLS Scanner
- IncompatibleClassChangeError after ColdFusion 11 Update 5
- Scope Injection in CFML