pf » Turn off autocomplete for credit card input

October 07, 2005

Turn off autocomplete for credit card input

Memo to web developers building sites that accept credit card numbers:

Always, always set autocomplete="off" in the input tag. For example:

<input type="text" name="cc" autocomplete="off" />

Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere). This is especially dangerous if someone enters their credit card number from a public computer.

The only downside to using this attribute is that it is not standard (it works in IE and Mozilla browsers), and would cause XHTML validation to fail. I think this is a case where it's reasonable to break validation however.

I have been mentioning this to people a few years, but I just realized that I have never blogged about it.

Permalink | Add Comment |

add to del.icio.us | Tags: html, security, form, autocomplete, credit cards

Related Entries

Watch out for Autocomplete - June 7, 2006
Amazon CTO on Security - June 10, 2006

43 people found this page useful, what do you think?

Trackbacks

Trackback Address: 481/57D090E6F426A866305236C0ABBEAA87

RecomendaciÃÂ³n para los formularios para tarjetas de crÃÂ©ditos Tinta Fantasma
Autocompletar y la informaciï¿½n sensible Tranquilidad

Comments

On 10/07/2005 at 3:55:05 PM MDT Lola Lee wrote:

I agree . . . this is truly irritating. Priceline.com is a big culprit of that tactic.

On 10/10/2005 at 2:59:31 PM MDT Ken Kolano wrote:

I tend to apply non-standard attributes like that using JavaScript. This lets me only use them on platforms where they work, and leaves my code nice and standards compliant elsewhere.

On 10/23/2005 at 11:10:19 PM MDT Jason G wrote:

I haven't actually tested this, but it should work:

Another way to make it so that auto-complete doesn't work, but that is still valid XHTML is to randomly generate part of the field name/id.

so for example:

name="creditcard12310093409" ... then you instruct your code to check for a form field with a name beginning in credit card. Since the likelihood of the field name being the same twice is pretty low, the credit card number should never appear in the field when auto complete is used.

On 10/23/2005 at 11:39:39 PM MDT Ryon wrote:

Jason G: If I'm not mistaken, that method might stop the browser from filling in the field automatically, but it would still leave the number stored in plaintext on the hard drive, which is the REAL issue.

On 12/13/2005 at 11:17:21 PM MST Kumar wrote:

Yes, it works. That's great. And it doesn't store the field information anywhere on the computer. Nice :)

On 12/30/2005 at 12:59:12 PM MST Graphixer wrote:

I took a look at Amazon.com's source, and they use the autocomplete="off" in their forms quite a bit.

If it's good enough for them...

On 04/08/2006 at 1:41:04 PM MDT Rainy Day wrote:

As a Mac user, i find this flag really annoying because there?s no value in it for me. Autofill information is safely encrypted and stored on the Keychain by Safari. So this flag, for things like user passwords, encourages the use of weak passwords which can be easily remembered, or are stored in plaintext files on the hard drive.

Fortunately, there is an app which will disable the autocomplete flag for Mac Safari users:

http://magicpubs.com/mac/software/autocomplete/

On 05/17/2006 at 5:29:59 PM MDT Amanda wrote:

thank you for this. I was wondering how I could turn it off on my web page completely. I have imbedded iframes and the auto complete does not work correctly so I'd just like to turn it off completely.

On 07/07/2006 at 11:36:16 AM MDT Jeff wrote:

This is a great feature I use not to protect data, but to just disable the autocomplete box from popping up. I have a Excel-like grid, and autocomplete gets in the way when using the arrows to go around the grid (cause typically if the autocomplete box is there and you press down, it selects an autocopmlete option, not fire the key-down for the down arrow). And it also gets in the way of looking at the grid.

So I think Mac users shouldnt purposely disable it cause they think we're only using it for security. Using your little open source program breaks my web application. The web developer didn't want autocomplete, so you shouldn't put it.

On 07/18/2006 at 4:47:33 PM MDT kevotheclone wrote:

autocomplete="off" can also be used with the <form> element to disable autocomplete in an entire Form. Also, if you must fill out a form with autocomplete enabled on a computer running IE, you can manually delete the autocomplete entries: 1) Press Alt+Down Arrow 2) Select the autocomplete entry to delete with your mouse or my pressing the Down Arrow key 3) Press the Delete key

On 07/18/2006 at 4:47:42 PM MDT kevotheclone wrote:

On 11/08/2006 at 1:32:35 AM MST Ngoc Nam wrote:

Thanks you! I 've just make input form to input Credit card! This Topic is useful for me and other!

On 12/17/2006 at 12:34:32 AM MST Frank wrote:

About this feature autocomplete=off: Opera browsers induce you for each site, whether you wish to rescue pair the user/password or not. But the opera has decided to not allow support autofull by default. Sysadmin presumed it in a corporate environment.

Sites which reject autofull, really do not help users, I think: if you do not presume to remember to a browser the password, you, more possibly, will use the easy password, or to place the sticky note concerning your monitor. How it does a banking online by more safe?

On 04/16/2007 at 12:14:17 PM MDT Linn wrote:

I have a combo box I've created that modifies and existing textbox. It works great, but the auto-complete portion completely broke the functionality. I think having the ability to turn it off is a good thing. In fact, I think the more control a developer has over html object, the better, as long as it does not cause any major security issues..

On 10/03/2007 at 1:20:15 AM MDT Arun wrote:

But how can i implement the same in stuts html tag?

On 12/03/2007 at 6:23:42 AM MST Marius wrote:

Thank you. Exactly what I needed to make my own search keyword suggestion system. Take care

On 12/07/2007 at 6:54:36 AM MST Mike wrote:

thank you

On 01/10/2008 at 9:04:24 PM MST Lazarus wrote:

kevotheclone: I reckon you have to have at least three hands to do that....

you can manually delete the autocomplete entries: 1) Press Alt+Down Arrow 2) Select the autocomplete entry to delete with your mouse or my pressing the Down Arrow key 3) Press the Delete key

On 02/06/2008 at 9:21:01 AM MST Uli wrote:

I solve it this way - as said before - JavaScrip

onfocus='this.autocomplete=\"off\";'

On 03/30/2008 at 7:59:34 PM MST luigi193 wrote:

Thanks a ton! I wrote a square foot calculator in PHP for finding prices with dimensions, and whenever I went to enter it, the stupid autofill came on!!! Now that I set the setting, it works great! Wish I read the thing how you can apply it to the <form> tag BEFORE I manually entered it all...

On 07/03/2008 at 10:05:14 AM MDT Tanase Laurentiu Iulian wrote:

Because the "autocomplete" parameter works only in Internet Explorer, then i will present you my simple solution ( in this case PHP ) :

First page ( HTML Form ) :

<form method="post"> <input type="hidden" name="username" value="random1"> <input type="hidden" name="password" value="random2"> Username: <input type="text" name="random1" value=""><br /> Password: <input type="password" name="random2" value=""> </form>

Where "random1" and "random2" are random names generated, you can use in combination with unix time.

Second page ( PHP output ) :

<?php

if ( isset($_POST['username'], $_POST['password']) && isset($_POST[$_POST['username']], $_POST[$_POST['password']]) ) { echo 'Username: '.$_POST[$_POST['username']].'<br />'. 'Password: '.$_POST[$_POST['password']]; }

With this simple solution you will don't worry about autocomplete anymore in any browser.

On 09/03/2008 at 2:11:04 AM MDT K S Jones wrote:

I also noticed this feature while using a major online payment provider a couple of years ago and have ensured that I have done the same ever since. They used it on the main credit card number field but hadn't added it the CVV field (verification number on the back of the card) I pointed this out and it was passed onto their development team - I?m not sure if it was actioned? That aside, please remember to apply the autocomplete="off" to this field as well, receipts sometimes carry the full card number and expiry etc, this CVV number is all that would stop online purchases on cards without the new Verified By Visa system (or equiv').

On 09/17/2008 at 5:40:49 AM MDT Dan wrote:

setting the autocomplete attribute with javascript doesn't seem to work in firefox.

On 09/17/2008 at 10:20:42 AM MDT Jeff wrote:

It does, but you need to set it using the "setAttribute" function like so:

elem.setAttribute("autocomplete","off");

This is because Firefox doesn't allow non-standard attributes to be set the short-hand way.

On 11/04/2008 at 4:04:24 AM MST Majic wrote:

Really, you should be using a secure connection (https) when collecting sensitive information, like credit card detail. IE does not enable autocomplete on https. Although you'll still have the same problem with FF.

On 11/05/2008 at 3:13:11 AM MST Nick G wrote:

I don't see why anyone should be taking credit card numbers on an INSECURE website anyway. As soon as HTTPS is enabled, most common browsers don't use autocomplete. So the very fact that you're even getting this problem means your site is already dangerous.

As for injecting it using JS to keep your sites standards compliant - that's just stupid. What's the point in making a standards compliant site, which javascript then messes up by injecting extra non-standard attributes? It would be more reliable and compatible, to simply hard-code the attribute into the HTML, then just ignore the validator warning.

On 01/09/2009 at 4:44:19 AM MST h wrote:

superrrrrrrrrrrrrr rrrrrrrrr

On 02/04/2009 at 4:08:08 AM MST swathi wrote: