Pete Freitag Pete Freitag

Turn off autocomplete for credit card input

Updated on December 07, 2023
By Pete Freitag
web

Memo to web developers building sites that accept credit card numbers:

Always, always set autocomplete="off" in the input tag. For example:

<input type="text" name="cc" autocomplete="off" />

Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere). This is especially dangerous if someone enters their credit card number from a public computer.

The only downside to using this attribute is that it is not standard (it works in IE and Mozilla browsers), and would cause XHTML validation to fail. I think this is a case where it's reasonable to break validation however.

I have been mentioning this to people a few years, but I just realized that I have never blogged about it.

While this entry was first written back in 2005, these days the autocomplete attribute can do a lot more then it could back then. You can use it to specify what type of field you have, so for example you can now say autocomplete="cc-number" to denote a credit card number field.

If you are in fact interested in browser security features, then you should also take a look at content security policy or CSP. One feature relating to forms is the CSP form-action directive which can control to what urls a form can be submitted on your site. It has a lot of features that you as a web developer can utilize to make a more secure browsing environment for your visitors.



html security form autocomplete credit cards

Turn off autocomplete for credit card input was first published on October 07, 2005.

If you like reading about html, security, form, autocomplete, or credit cards then you might also like:

Weekly Security Advisories Email

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).

Comments

I agree . . . this is truly irritating. Priceline.com is a big culprit of that tactic.
by Lola Lee on 10/07/2005 at 3:55:05 PM UTC
Jason G: If I'm not mistaken, that method might stop the browser from filling in the field automatically, but it would still leave the number stored in plaintext on the hard drive, which is the REAL issue.
by Ryon on 10/23/2005 at 11:39:39 PM UTC
Yes, it works. That's great. And it doesn't store the field information anywhere on the computer. Nice :)
by Kumar on 12/13/2005 at 11:17:21 PM UTC
thank you for this. I was wondering how I could turn it off on my web page completely. I have imbedded iframes and the auto complete does not work correctly so I'd just like to turn it off completely.
by Amanda on 05/17/2006 at 5:29:59 PM UTC
About this feature autocomplete=off: Opera browsers induce you for each site, whether you wish to rescue pair the user/password or not. But the opera has decided to not allow support autofull by default. Sysadmin presumed it in a corporate environment.

Sites which reject autofull, really do not help users, I think: if you do not presume to remember to a browser the password, you, more possibly, will use the easy password, or to place the sticky note concerning your monitor. How it does a banking online by more safe?
by Frank on 12/17/2006 at 12:34:32 AM UTC
kevotheclone: I reckon you have to have at least three hands to do that....

you can manually delete the autocomplete entries: 1) Press Alt+Down Arrow 2) Select the autocomplete entry to delete with your mouse or my pressing the Down Arrow key 3) Press the Delete key
by Lazarus on 01/10/2008 at 9:04:24 PM UTC
Because the "autocomplete" parameter works only in Internet Explorer, then i will present you my simple solution ( in this case PHP ) :

First page ( HTML Form ) :

<form method="post">
<input type="hidden" name="username" value="random1">
<input type="hidden" name="password" value="random2">
Username: <input type="text" name="random1" value=""><br />
Password: <input type="password" name="random2" value="">
</form>

Where "random1" and "random2" are random names generated, you can use in combination with unix time.

Second page ( PHP output ) :

<?php

if ( isset($_POST['username'], $_POST['password']) &&
isset($_POST[$_POST['username']], $_POST[$_POST['password']]) ) {
echo 'Username: '.$_POST[$_POST['username']].'<br />'.
'Password: '.$_POST[$_POST['password']];
}

?>

With this simple solution you will don't worry about autocomplete anymore in any browser.
by Tanase Laurentiu Iulian on 07/03/2008 at 10:05:14 AM UTC
I don't see why anyone should be taking credit card numbers on an INSECURE website anyway. As soon as HTTPS is enabled, most common browsers don't use autocomplete. So the very fact that you're even getting this problem means your site is already dangerous.

As for injecting it using JS to keep your sites standards compliant - that's just stupid. What's the point in making a standards compliant site, which javascript then messes up by injecting extra non-standard attributes? It would be more reliable and compatible, to simply hard-code the attribute into the HTML, then just ignore the validator warning.
by Nick G on 11/05/2008 at 3:13:11 AM UTC
i m using moxila firefox.
i tried elem.setAttribute("autocomplete","off");
but it is not working.
can u help me with this
by swathi on 02/04/2009 at 4:08:08 AM UTC
Simply use Javascript to do that.
<script type="text/javascript">
function clearCC()
{
document.getElementById('ccnum').value = "";
}

window.onload = clearCC;
</script>

try this code but i didn't check it. i just wrote it here :) .. any problem you may contact me at msn adn_ahsan(at)hotmail(dot)com .. I am web programmer if any of you need any solution just contact me.

Thanks
by Adnan on 09/17/2009 at 12:03:22 PM UTC
This seems to work in Firefox, but in IE the details are still shown when the back button is used!
by Reza Malik on 06/28/2010 at 5:40:16 PM UTC
Textbox entry making me halt on Safari browser, below code solve my problem
autocomplete="off".

Thanks Friend...
by gireesh on 08/10/2010 at 10:40:30 AM UTC
Pete, completely agree. Not only is it acceptable to break xHTML for this, but it is also actively required in order to attain PCI-DSS compliance, hence the reason Amazon use it.

I've written an article over at http://www.securatek.net/2011/09/16/why-browser-autocomplete-is-bad-for-security/ that explains exactly why browser autocomplete is bad for security.
by James @_Securatek on 09/16/2011 at 8:40:27 PM UTC