Turn off autocomplete for credit card input

web

Memo to web developers building sites that accept credit card numbers:

Always, always set autocomplete="off" in the input tag. For example:

<input type="text" name="cc" autocomplete="off" />

Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere). This is especially dangerous if someone enters their credit card number from a public computer.

The only downside to using this attribute is that it is not standard (it works in IE and Mozilla browsers), and would cause XHTML validation to fail. I think this is a case where it's reasonable to break validation however.

I have been mentioning this to people a few years, but I just realized that I have never blogged about it.



Related Entries

62 people found this page useful, what do you think?

Trackbacks

Trackback Address: 481/57D090E6F426A866305236C0ABBEAA87

Comments

On 10/07/2005 at 5:55:05 PM EDT Lola Lee wrote:
1
I agree . . . this is truly irritating. Priceline.com is a big culprit of that tactic.

On 10/10/2005 at 4:59:31 PM EDT Ken Kolano wrote:
2
I tend to apply non-standard attributes like that using JavaScript. This lets me only use them on platforms where they work, and leaves my code nice and standards compliant elsewhere.

On 10/24/2005 at 1:10:19 AM EDT Jason G wrote:
3
I haven't actually tested this, but it should work:

Another way to make it so that auto-complete doesn't work, but that is still valid XHTML is to randomly generate part of the field name/id.

so for example:

name="creditcard12310093409" ... then you instruct your code to check for a form field with a name beginning in credit card. Since the likelihood of the field name being the same twice is pretty low, the credit card number should never appear in the field when auto complete is used.

On 10/24/2005 at 1:39:39 AM EDT Ryon wrote:
4
Jason G: If I'm not mistaken, that method might stop the browser from filling in the field automatically, but it would still leave the number stored in plaintext on the hard drive, which is the REAL issue.

On 12/14/2005 at 1:17:21 AM EST Kumar wrote:
5
Yes, it works. That's great. And it doesn't store the field information anywhere on the computer. Nice :)

On 12/30/2005 at 2:59:12 PM EST Graphixer wrote:
6
I took a look at Amazon.com's source, and they use the autocomplete="off" in their forms quite a bit.

If it's good enough for them...

On 04/08/2006 at 3:41:04 PM EDT Rainy Day wrote:
7
As a Mac user, i find this flag really annoying because there?s no value in it for me. Autofill information is safely encrypted and stored on the Keychain by Safari. So this flag, for things like user passwords, encourages the use of weak passwords which can be easily remembered, or are stored in plaintext files on the hard drive.

Fortunately, there is an app which will disable the autocomplete flag for Mac Safari users:

http://magicpubs.com/mac/software/autocomplete/

On 05/17/2006 at 7:29:59 PM EDT Amanda wrote:
8
thank you for this. I was wondering how I could turn it off on my web page completely. I have imbedded iframes and the auto complete does not work correctly so I'd just like to turn it off completely.

On 07/07/2006 at 1:36:16 PM EDT Jeff wrote:
9
This is a great feature I use not to protect data, but to just disable the autocomplete box from popping up. I have a Excel-like grid, and autocomplete gets in the way when using the arrows to go around the grid (cause typically if the autocomplete box is there and you press down, it selects an autocopmlete option, not fire the key-down for the down arrow). And it also gets in the way of looking at the grid.

So I think Mac users shouldnt purposely disable it cause they think we're only using it for security. Using your little open source program breaks my web application. The web developer didn't want autocomplete, so you shouldn't put it.

On 07/18/2006 at 6:47:33 PM EDT kevotheclone wrote:
10
autocomplete="off" can also be used with the <form> element to disable autocomplete in an entire Form. Also, if you must fill out a form with autocomplete enabled on a computer running IE, you can manually delete the autocomplete entries: 1) Press Alt+Down Arrow 2) Select the autocomplete entry to delete with your mouse or my pressing the Down Arrow key 3) Press the Delete key

On 07/18/2006 at 6:47:42 PM EDT kevotheclone wrote:
11
autocomplete="off" can also be used with the <form> element to disable autocomplete in an entire Form. Also, if you must fill out a form with autocomplete enabled on a computer running IE, you can manually delete the autocomplete entries: 1) Press Alt+Down Arrow 2) Select the autocomplete entry to delete with your mouse or my pressing the Down Arrow key 3) Press the Delete key

On 11/08/2006 at 3:32:35 AM EST Ngoc Nam wrote:
12
Thanks you! I 've just make input form to input Credit card! This Topic is useful for me and other!

On 12/17/2006 at 2:34:32 AM EST Frank wrote:
13
About this feature autocomplete=off: Opera browsers induce you for each site, whether you wish to rescue pair the user/password or not. But the opera has decided to not allow support autofull by default. Sysadmin presumed it in a corporate environment.

Sites which reject autofull, really do not help users, I think: if you do not presume to remember to a browser the password, you, more possibly, will use the easy password, or to place the sticky note concerning your monitor. How it does a banking online by more safe?

On 04/16/2007 at 2:14:17 PM EDT Linn wrote:
14
I have a combo box I've created that modifies and existing textbox. It works great, but the auto-complete portion completely broke the functionality. I think having the ability to turn it off is a good thing. In fact, I think the more control a developer has over html object, the better, as long as it does not cause any major security issues..

On 10/03/2007 at 3:20:15 AM EDT Arun wrote:
15
But how can i implement the same in stuts html tag?

On 12/03/2007 at 8:23:42 AM EST Marius wrote:
16
Thank you. Exactly what I needed to make my own search keyword suggestion system. Take care

On 12/07/2007 at 8:54:36 AM EST Mike wrote:
17
thank you

On 01/10/2008 at 11:04:24 PM EST Lazarus wrote:
18
kevotheclone: I reckon you have to have at least three hands to do that....

you can manually delete the autocomplete entries: 1) Press Alt+Down Arrow 2) Select the autocomplete entry to delete with your mouse or my pressing the Down Arrow key 3) Press the Delete key

On 02/06/2008 at 11:21:01 AM EST Uli wrote:
19
I solve it this way - as said before - JavaScrip

onfocus='this.autocomplete=\"off\";'

On 03/30/2008 at 9:59:34 PM EDT luigi193 wrote:
20
Thanks a ton! I wrote a square foot calculator in PHP for finding prices with dimensions, and whenever I went to enter it, the stupid autofill came on!!! Now that I set the setting, it works great! Wish I read the thing how you can apply it to the <form> tag BEFORE I manually entered it all...

On 07/03/2008 at 12:05:14 PM EDT Tanase Laurentiu Iulian wrote:
21
Because the "autocomplete" parameter works only in Internet Explorer, then i will present you my simple solution ( in this case PHP ) :

First page ( HTML Form ) :

<form method="post"> <input type="hidden" name="username" value="random1"> <input type="hidden" name="password" value="random2"> Username: <input type="text" name="random1" value=""><br /> Password: <input type="password" name="random2" value=""> </form>

Where "random1" and "random2" are random names generated, you can use in combination with unix time.

Second page ( PHP output ) :

<?php

if ( isset($_POST['username'], $_POST['password']) && isset($_POST[$_POST['username']], $_POST[$_POST['password']]) ) { echo 'Username: '.$_POST[$_POST['username']].'<br />'. 'Password: '.$_POST[$_POST['password']]; }

?>

With this simple solution you will don't worry about autocomplete anymore in any browser.

On 09/03/2008 at 4:11:04 AM EDT K S Jones wrote:
22
I also noticed this feature while using a major online payment provider a couple of years ago and have ensured that I have done the same ever since. They used it on the main credit card number field but hadn't added it the CVV field (verification number on the back of the card) I pointed this out and it was passed onto their development team - I?m not sure if it was actioned? That aside, please remember to apply the autocomplete="off" to this field as well, receipts sometimes carry the full card number and expiry etc, this CVV number is all that would stop online purchases on cards without the new Verified By Visa system (or equiv').

On 09/17/2008 at 7:40:49 AM EDT Dan wrote:
23
setting the autocomplete attribute with javascript doesn't seem to work in firefox.

On 09/17/2008 at 12:20:42 PM EDT Jeff wrote:
24
It does, but you need to set it using the "setAttribute" function like so:

elem.setAttribute("autocomplete","off");

This is because Firefox doesn't allow non-standard attributes to be set the short-hand way.

On 11/04/2008 at 6:04:24 AM EST Majic wrote:
25
Really, you should be using a secure connection (https) when collecting sensitive information, like credit card detail. IE does not enable autocomplete on https. Although you'll still have the same problem with FF.

On 11/05/2008 at 5:13:11 AM EST Nick G wrote:
26
I don't see why anyone should be taking credit card numbers on an INSECURE website anyway. As soon as HTTPS is enabled, most common browsers don't use autocomplete. So the very fact that you're even getting this problem means your site is already dangerous.

As for injecting it using JS to keep your sites standards compliant - that's just stupid. What's the point in making a standards compliant site, which javascript then messes up by injecting extra non-standard attributes? It would be more reliable and compatible, to simply hard-code the attribute into the HTML, then just ignore the validator warning.

On 01/09/2009 at 6:44:19 AM EST h wrote:
27
superrrrrrrrrrrrrr rrrrrrrrr

On 02/04/2009 at 6:08:08 AM EST swathi wrote:
28
i m using moxila firefox. i tried elem.setAttribute("autocomplete","off"); but it is not working. can u help me with this

On 07/09/2009 at 12:33:27 AM EDT Anonymous wrote:
29
no .

On 09/17/2009 at 2:03:22 PM EDT Adnan wrote:
30
Simply use Javascript to do that. <script type="text/javascript"> function clearCC() { document.getElementById('ccnum').value = ""; }

window.onload = clearCC; </script>

try this code but i didn't check it. i just wrote it here :) .. any problem you may contact me at msn adn_ahsan(at)hotmail(dot)com .. I am web programmer if any of you need any solution just contact me.

Thanks

On 10/27/2009 at 11:00:23 AM EDT napu wrote:
31
Thanks for the tip Jeff!! The code

elem.setAttribute("autocomplete","off");

worked for FF 3.5 like a breeze :)

On 12/10/2009 at 6:18:07 PM EST karl wrote:
32
Hey... it's my browser, not your's. If I enable the autosave feature, I want to get things saved. If I don't want it, I disable the feature.

So, please, let the users decide. It's not your decision!

On 12/14/2009 at 3:56:36 PM EST Cork wrote:
33
@Amanda

It's "embedded," sweetheart.

Also, don't use iFrames.

Also, girls don't code.

Also.

On 01/27/2010 at 6:10:45 AM EST Raj wrote:
34
cool,it worked:)

On 02/05/2010 at 6:32:11 PM EST ben wrote:
35
@karl

Unfortunately, browsers don't tend to let you turn on autocomplete *sometimes*. You turn it on or off. As a user, I would appreciate sites turning off autocomplete on fields relating to credit cards, for example. As a programmer, I would prefer to turn off autocomplete for the same fields to avoid problems. You cannot assume that users will even know how to turn off autocomplete in their browser. Just because someone is buying something online does not mean that they know ANYTHING about computers other than how to go to a web page and type their CC info.

In summary, I believe that there should be a standard for disabling browser autocomplete. It's not a usability nightmare as some people have mentioned. It's a security measure. If my credit card number isn't stored in my browser's autocomplete, that's not an inconvenience, it's a relief.

On 03/10/2010 at 10:58:17 PM EST dataSpheric wrote:
36
Aha! Somebody told me there was an "argument" here about autocomplete.

Some good points made from standards perspectives BUT forms are different from what we normally do (which is push information). Forms PULL information.

With autocomplete, we might inadvertantly push what was pulled.

Now consider this: the user is not always whom we think they are. The user might not be whom we intend them to be.

Disabling autocomplete therefore protects the data and the user community. "Do what's good for the user" now includes their online security.

On 06/24/2010 at 11:49:56 PM EDT Jodis wrote:
37
Je ne savais pas comment maitre cela off

On 06/28/2010 at 7:43:53 AM EDT Reza Malik wrote:
38
This seems to work in Firefox, but in IE the details are still shown when the back button is used!

On 06/28/2010 at 7:40:16 PM EDT Reza Malik wrote:
39
This seems to work in Firefox, but in IE the details are still shown when the back button is used!

On 07/09/2010 at 6:31:02 AM EDT Dave wrote:
40
Reza, autocomplete is the dropdown type thing that shows previously entered values when you start typing in a field. If you want field values cleared, use javascript. jQuery makes it easy...

$(document).ready(function(){ $.each($('input'), function(){ $(this).val('); }); });

On 08/10/2010 at 12:40:30 PM EDT gireesh wrote:
41
Textbox entry making me halt on Safari browser, below code solve my problem autocomplete="off".

Thanks Friend...

On 08/24/2010 at 2:47:44 AM EDT Rumana Akter wrote:
42
You would certainly like to develop long-term relationship with the bank that is close to your working place, provides high interest rates, and better services at low fees.

Credit Card Application http://creditcardapplication.cc/

On 01/14/2011 at 5:59:14 PM EST mmesOE wrote:
43
mmesOE - hallo guys :D

http://spamerus.info

On 02/07/2011 at 4:10:04 PM EST Victoria Secret Coupons wrote:
44
Hi : ) Buying things on the web or in-store? which often would you prefer? just wondering lol.. i love in-store because i hate waiting for it to come! Cheers Emma

On 02/23/2011 at 4:46:14 AM EST liculuseo wrote:
45
thanks for this tips

On 02/24/2011 at 7:24:14 PM EST sicaluseo wrote:
46
thanks for this tips 2218153698

On 08/17/2011 at 3:23:55 PM EDT Randy wrote:
47
By the way, having autocomplete="off" is an implementation recommended by PCI-DSS for password and card data form fields, regardless of whether or not the page is behind an SSL certificate.

On 09/16/2011 at 10:40:27 PM EDT James @_Securatek wrote:
48
Pete, completely agree. Not only is it acceptable to break xHTML for this, but it is also actively required in order to attain PCI-DSS compliance, hence the reason Amazon use it.

I've written an article over at http://www.securatek.net/2011/09/16/why-browser-autocomplete-is-bad-for-security/ that explains exactly why browser autocomplete is bad for security.

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?