Turn off autocomplete for credit card input


Memo to web developers building sites that accept credit card numbers:

Always, always set autocomplete="off" in the input tag. For example:

<input type="text" name="cc" autocomplete="off" />

Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere). This is especially dangerous if someone enters their credit card number from a public computer.

The only downside to using this attribute is that it is not standard (it works in IE and Mozilla browsers), and would cause XHTML validation to fail. I think this is a case where it's reasonable to break validation however.

I have been mentioning this to people a few years, but I just realized that I have never blogged about it.

Related Entries

79 people found this page useful, what do you think?


Trackback Address: 481/57D090E6F426A866305236C0ABBEAA87


On 10/07/2005 at 3:55:05 PM UTC Lola Lee wrote:
I agree . . . this is truly irritating. Priceline.com is a big culprit of that tactic.

On 10/10/2005 at 2:59:31 PM UTC Ken Kolano wrote:
I tend to apply non-standard attributes like that using JavaScript. This lets me only use them on platforms where they work, and leaves my code nice and standards compliant elsewhere.

On 10/23/2005 at 11:10:19 PM UTC Jason G wrote:
I haven't actually tested this, but it should work:

Another way to make it so that auto-complete doesn't work, but that is still valid XHTML is to randomly generate part of the field name/id.

so for example:

name="creditcard12310093409" ... then you instruct your code to check for a form field with a name beginning in credit card. Since the likelihood of the field name being the same twice is pretty low, the credit card number should never appear in the field when auto complete is used.

On 10/23/2005 at 11:39:39 PM UTC Ryon wrote:
Jason G: If I'm not mistaken, that method might stop the browser from filling in the field automatically, but it would still leave the number stored in plaintext on the hard drive, which is the REAL issue.

On 12/13/2005 at 11:17:21 PM UTC Kumar wrote:
Yes, it works. That's great. And it doesn't store the field information anywhere on the computer. Nice :)

On 12/30/2005 at 12:59:12 PM UTC Graphixer wrote:
I took a look at Amazon.com's source, and they use the autocomplete="off" in their forms quite a bit.

If it's good enough for them...

On 04/08/2006 at 1:41:04 PM UTC Rainy Day wrote:
As a Mac user, i find this flag really annoying because there?s no value in it for me. Autofill information is safely encrypted and stored on the Keychain by Safari. So this flag, for things like user passwords, encourages the use of weak passwords which can be easily remembered, or are stored in plaintext files on the hard drive.

Fortunately, there is an app which will disable the autocomplete flag for Mac Safari users:


On 05/17/2006 at 5:29:59 PM UTC Amanda wrote:
thank you for this. I was wondering how I could turn it off on my web page completely. I have imbedded iframes and the auto complete does not work correctly so I'd just like to turn it off completely.

On 07/07/2006 at 11:36:16 AM UTC Jeff wrote:
This is a great feature I use not to protect data, but to just disable the autocomplete box from popping up. I have a Excel-like grid, and autocomplete gets in the way when using the arrows to go around the grid (cause typically if the autocomplete box is there and you press down, it selects an autocopmlete option, not fire the key-down for the down arrow). And it also gets in the way of looking at the grid.

So I think Mac users shouldnt purposely disable it cause they think we're only using it for security. Using your little open source program breaks my web application. The web developer didn't want autocomplete, so you shouldn't put it.

On 07/18/2006 at 4:47:33 PM UTC kevotheclone wrote:
autocomplete="off" can also be used with the <form> element to disable autocomplete in an entire Form. Also, if you must fill out a form with autocomplete enabled on a computer running IE, you can manually delete the autocomplete entries: 1) Press Alt+Down Arrow 2) Select the autocomplete entry to delete with your mouse or my pressing the Down Arrow key 3) Press the Delete key

On 07/18/2006 at 4:47:42 PM UTC kevotheclone wrote:
autocomplete="off" can also be used with the <form> element to disable autocomplete in an entire Form. Also, if you must fill out a form with autocomplete enabled on a computer running IE, you can manually delete the autocomplete entries: 1) Press Alt+Down Arrow 2) Select the autocomplete entry to delete with your mouse or my pressing the Down Arrow key 3) Press the Delete key

On 11/08/2006 at 1:32:35 AM UTC Ngoc Nam wrote:
Thanks you! I 've just make input form to input Credit card! This Topic is useful for me and other!

On 12/17/2006 at 12:34:32 AM UTC Frank wrote:
About this feature autocomplete=off: Opera browsers induce you for each site, whether you wish to rescue pair the user/password or not. But the opera has decided to not allow support autofull by default. Sysadmin presumed it in a corporate environment.

Sites which reject autofull, really do not help users, I think: if you do not presume to remember to a browser the password, you, more possibly, will use the easy password, or to place the sticky note concerning your monitor. How it does a banking online by more safe?

On 04/16/2007 at 12:14:17 PM UTC Linn wrote:
I have a combo box I've created that modifies and existing textbox. It works great, but the auto-complete portion completely broke the functionality. I think having the ability to turn it off is a good thing. In fact, I think the more control a developer has over html object, the better, as long as it does not cause any major security issues..

On 10/03/2007 at 1:20:15 AM UTC Arun wrote:
But how can i implement the same in stuts html tag?

On 12/03/2007 at 6:23:42 AM UTC Marius wrote:
Thank you. Exactly what I needed to make my own search keyword suggestion system. Take care

On 12/07/2007 at 6:54:36 AM UTC Mike wrote:
thank you

On 01/10/2008 at 9:04:24 PM UTC Lazarus wrote:
kevotheclone: I reckon you have to have at least three hands to do that....

you can manually delete the autocomplete entries: 1) Press Alt+Down Arrow 2) Select the autocomplete entry to delete with your mouse or my pressing the Down Arrow key 3) Press the Delete key

On 02/06/2008 at 9:21:01 AM UTC Uli wrote:
I solve it this way - as said before - JavaScrip


On 03/30/2008 at 7:59:34 PM UTC luigi193 wrote:
Thanks a ton! I wrote a square foot calculator in PHP for finding prices with dimensions, and whenever I went to enter it, the stupid autofill came on!!! Now that I set the setting, it works great! Wish I read the thing how you can apply it to the <form> tag BEFORE I manually entered it all...

On 07/03/2008 at 10:05:14 AM UTC Tanase Laurentiu Iulian wrote:
Because the "autocomplete" parameter works only in Internet Explorer, then i will present you my simple solution ( in this case PHP ) :

First page ( HTML Form ) :

<form method="post"> <input type="hidden" name="username" value="random1"> <input type="hidden" name="password" value="random2"> Username: <input type="text" name="random1" value=""><br /> Password: <input type="password" name="random2" value=""> </form>

Where "random1" and "random2" are random names generated, you can use in combination with unix time.

Second page ( PHP output ) :


if ( isset($_POST['username'], $_POST['password']) && isset($_POST[$_POST['username']], $_POST[$_POST['password']]) ) { echo 'Username: '.$_POST[$_POST['username']].'<br />'. 'Password: '.$_POST[$_POST['password']]; }


With this simple solution you will don't worry about autocomplete anymore in any browser.

On 09/03/2008 at 2:11:04 AM UTC K S Jones wrote:
I also noticed this feature while using a major online payment provider a couple of years ago and have ensured that I have done the same ever since. They used it on the main credit card number field but hadn't added it the CVV field (verification number on the back of the card) I pointed this out and it was passed onto their development team - I?m not sure if it was actioned? That aside, please remember to apply the autocomplete="off" to this field as well, receipts sometimes carry the full card number and expiry etc, this CVV number is all that would stop online purchases on cards without the new Verified By Visa system (or equiv').

On 09/17/2008 at 5:40:49 AM UTC Dan wrote:
setting the autocomplete attribute with javascript doesn't seem to work in firefox.

On 09/17/2008 at 10:20:42 AM UTC Jeff wrote:
It does, but you need to set it using the "setAttribute" function like so:


This is because Firefox doesn't allow non-standard attributes to be set the short-hand way.

On 11/04/2008 at 4:04:24 AM UTC Majic wrote:
Really, you should be using a secure connection (https) when collecting sensitive information, like credit card detail. IE does not enable autocomplete on https. Although you'll still have the same problem with FF.

On 11/05/2008 at 3:13:11 AM UTC Nick G wrote:
I don't see why anyone should be taking credit card numbers on an INSECURE website anyway. As soon as HTTPS is enabled, most common browsers don't use autocomplete. So the very fact that you're even getting this problem means your site is already dangerous.

As for injecting it using JS to keep your sites standards compliant - that's just stupid. What's the point in making a standards compliant site, which javascript then messes up by injecting extra non-standard attributes? It would be more reliable and compatible, to simply hard-code the attribute into the HTML, then just ignore the validator warning.

On 01/09/2009 at 4:44:19 AM UTC h wrote:
superrrrrrrrrrrrrr rrrrrrrrr

On 02/04/2009 at 4:08:08 AM UTC swathi wrote:
i m using moxila firefox. i tried elem.setAttribute("autocomplete","off"); but it is not working. can u help me with this

On 07/08/2009 at 10:33:27 PM UTC Anonymous wrote:
no .

On 09/17/2009 at 12:03:22 PM UTC Adnan wrote:
Simply use Javascript to do that. <script type="text/javascript"> function clearCC() { document.getElementById('ccnum').value = ""; }

window.onload = clearCC; </script>

try this code but i didn't check it. i just wrote it here :) .. any problem you may contact me at msn adn_ahsan(at)hotmail(dot)com .. I am web programmer if any of you need any solution just contact me.


On 10/27/2009 at 9:00:23 AM UTC napu wrote:
Thanks for the tip Jeff!! The code


worked for FF 3.5 like a breeze :)

On 12/10/2009 at 4:18:07 PM UTC karl wrote:
Hey... it's my browser, not your's. If I enable the autosave feature, I want to get things saved. If I don't want it, I disable the feature.

So, please, let the users decide. It's not your decision!

On 12/14/2009 at 1:56:36 PM UTC Cork wrote:

It's "embedded," sweetheart.

Also, don't use iFrames.

Also, girls don't code.


On 01/27/2010 at 4:10:45 AM UTC Raj wrote:
cool,it worked:)

On 02/05/2010 at 4:32:11 PM UTC ben wrote:

Unfortunately, browsers don't tend to let you turn on autocomplete *sometimes*. You turn it on or off. As a user, I would appreciate sites turning off autocomplete on fields relating to credit cards, for example. As a programmer, I would prefer to turn off autocomplete for the same fields to avoid problems. You cannot assume that users will even know how to turn off autocomplete in their browser. Just because someone is buying something online does not mean that they know ANYTHING about computers other than how to go to a web page and type their CC info.

In summary, I believe that there should be a standard for disabling browser autocomplete. It's not a usability nightmare as some people have mentioned. It's a security measure. If my credit card number isn't stored in my browser's autocomplete, that's not an inconvenience, it's a relief.

On 03/10/2010 at 8:58:17 PM UTC dataSpheric wrote:
Aha! Somebody told me there was an "argument" here about autocomplete.

Some good points made from standards perspectives BUT forms are different from what we normally do (which is push information). Forms PULL information.

With autocomplete, we might inadvertantly push what was pulled.

Now consider this: the user is not always whom we think they are. The user might not be whom we intend them to be.

Disabling autocomplete therefore protects the data and the user community. "Do what's good for the user" now includes their online security.

On 06/24/2010 at 9:49:56 PM UTC Jodis wrote:
Je ne savais pas comment maitre cela off

On 06/28/2010 at 5:43:53 AM UTC Reza Malik wrote:
This seems to work in Firefox, but in IE the details are still shown when the back button is used!

On 06/28/2010 at 5:40:16 PM UTC Reza Malik wrote:
This seems to work in Firefox, but in IE the details are still shown when the back button is used!

On 07/09/2010 at 4:31:02 AM UTC Dave wrote:
Reza, autocomplete is the dropdown type thing that shows previously entered values when you start typing in a field. If you want field values cleared, use javascript. jQuery makes it easy...

$(document).ready(function(){ $.each($('input'), function(){ $(this).val('); }); });

On 08/10/2010 at 10:40:30 AM UTC gireesh wrote:
Textbox entry making me halt on Safari browser, below code solve my problem autocomplete="off".

Thanks Friend...

On 08/24/2010 at 12:47:44 AM UTC Rumana Akter wrote:
You would certainly like to develop long-term relationship with the bank that is close to your working place, provides high interest rates, and better services at low fees.

Credit Card Application http://creditcardapplication.cc/

On 01/14/2011 at 3:59:14 PM UTC mmesOE wrote:
mmesOE - hallo guys :D


On 02/07/2011 at 2:10:04 PM UTC Victoria Secret Coupons wrote:
Hi : ) Buying things on the web or in-store? which often would you prefer? just wondering lol.. i love in-store because i hate waiting for it to come! Cheers Emma

On 02/23/2011 at 2:46:14 AM UTC liculuseo wrote:
thanks for this tips

On 02/24/2011 at 5:24:14 PM UTC sicaluseo wrote:
thanks for this tips 2218153698

On 08/17/2011 at 1:23:55 PM UTC Randy wrote:
By the way, having autocomplete="off" is an implementation recommended by PCI-DSS for password and card data form fields, regardless of whether or not the page is behind an SSL certificate.

On 09/16/2011 at 8:40:27 PM UTC James @_Securatek wrote:
Pete, completely agree. Not only is it acceptable to break xHTML for this, but it is also actively required in order to attain PCI-DSS compliance, hence the reason Amazon use it.

I've written an article over at http://www.securatek.net/2011/09/16/why-browser-autocomplete-is-bad-for-security/ that explains exactly why browser autocomplete is bad for security.

Post a Comment


Spell Checker by Foundeo

Recent Entries


did you hack my cf?