Turn off autocomplete for credit card input

October 07, 2005

Memo to web developers building sites that accept credit card numbers:

Always, always set autocomplete="off" in the input tag. For example:

<input type="text" name="cc" autocomplete="off" />

Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere). This is especially dangerous if someone enters their credit card number from a public computer.

The only downside to using this attribute is that it is not standard (it works in IE and Mozilla browsers), and would cause XHTML validation to fail. I think this is a case where it's reasonable to break validation however.

I have been mentioning this to people a few years, but I just realized that I have never blogged about it.

Related Entries

92 people found this page useful, what do you think?



I agree . . . this is truly irritating. Priceline.com is a big culprit of that tactic.
I tend to apply non-standard attributes like that using JavaScript. This lets me only use them on platforms where they work, and leaves my code nice and standards compliant elsewhere.
I haven't actually tested this, but it should work: Another way to make it so that auto-complete doesn't work, but that is still valid XHTML is to randomly generate part of the field name/id. so for example: name="creditcard12310093409" ... then you instruct your code to check for a form field with a name beginning in credit card. Since the likelihood of the field name being the same twice is pretty low, the credit card number should never appear in the field when auto complete is used.
Jason G: If I'm not mistaken, that method might stop the browser from filling in the field automatically, but it would still leave the number stored in plaintext on the hard drive, which is the REAL issue.
Yes, it works. That's great. And it doesn't store the field information anywhere on the computer. Nice :)
I took a look at Amazon.com's source, and they use the autocomplete="off" in their forms quite a bit. If it's good enough for them...
As a Mac user, i find this flag really annoying because there?s no value in it for me. Autofill information is safely encrypted and stored on the Keychain by Safari. So this flag, for things like user passwords, encourages the use of weak passwords which can be easily remembered, or are stored in plaintext files on the hard drive. Fortunately, there is an app which will disable the autocomplete flag for Mac Safari users: http://magicpubs.com/mac/software/autocomplete/
thank you for this. I was wondering how I could turn it off on my web page completely. I have imbedded iframes and the auto complete does not work correctly so I'd just like to turn it off completely.
This is a great feature I use not to protect data, but to just disable the autocomplete box from popping up. I have a Excel-like grid, and autocomplete gets in the way when using the arrows to go around the grid (cause typically if the autocomplete box is there and you press down, it selects an autocopmlete option, not fire the key-down for the down arrow). And it also gets in the way of looking at the grid. So I think Mac users shouldnt purposely disable it cause they think we're only using it for security. Using your little open source program breaks my web application. The web developer didn't want autocomplete, so you shouldn't put it.
autocomplete="off" can also be used with the <form> element to disable autocomplete in an entire Form. Also, if you must fill out a form with autocomplete enabled on a computer running IE, you can manually delete the autocomplete entries: 1) Press Alt+Down Arrow 2) Select the autocomplete entry to delete with your mouse or my pressing the Down Arrow key 3) Press the Delete key
autocomplete="off" can also be used with the <form> element to disable autocomplete in an entire Form. Also, if you must fill out a form with autocomplete enabled on a computer running IE, you can manually delete the autocomplete entries: 1) Press Alt+Down Arrow 2) Select the autocomplete entry to delete with your mouse or my pressing the Down Arrow key 3) Press the Delete key
Thanks you! I 've just make input form to input Credit card! This Topic is useful for me and other!
About this feature autocomplete=off: Opera browsers induce you for each site, whether you wish to rescue pair the user/password or not. But the opera has decided to not allow support autofull by default. Sysadmin presumed it in a corporate environment. Sites which reject autofull, really do not help users, I think: if you do not presume to remember to a browser the password, you, more possibly, will use the easy password, or to place the sticky note concerning your monitor. How it does a banking online by more safe?
I have a combo box I've created that modifies and existing textbox. It works great, but the auto-complete portion completely broke the functionality. I think having the ability to turn it off is a good thing. In fact, I think the more control a developer has over html object, the better, as long as it does not cause any major security issues..
But how can i implement the same in stuts html tag?
Thank you. Exactly what I needed to make my own search keyword suggestion system. Take care
thank you
kevotheclone: I reckon you have to have at least three hands to do that.... you can manually delete the autocomplete entries: 1) Press Alt+Down Arrow 2) Select the autocomplete entry to delete with your mouse or my pressing the Down Arrow key 3) Press the Delete key
I solve it this way - as said before - JavaScrip onfocus='this.autocomplete=\"off\";'
Thanks a ton! I wrote a square foot calculator in PHP for finding prices with dimensions, and whenever I went to enter it, the stupid autofill came on!!! Now that I set the setting, it works great! Wish I read the thing how you can apply it to the <form> tag BEFORE I manually entered it all...
Because the "autocomplete" parameter works only in Internet Explorer, then i will present you my simple solution ( in this case PHP ) : First page ( HTML Form ) : <form method="post"> <input type="hidden" name="username" value="random1"> <input type="hidden" name="password" value="random2"> Username: <input type="text" name="random1" value=""><br /> Password: <input type="password" name="random2" value=""> </form> Where "random1" and "random2" are random names generated, you can use in combination with unix time. Second page ( PHP output ) : <?php if ( isset($_POST['username'], $_POST['password']) && isset($_POST[$_POST['username']], $_POST[$_POST['password']]) ) { echo 'Username: '.$_POST[$_POST['username']].'<br />'. 'Password: '.$_POST[$_POST['password']]; } ?> With this simple solution you will don't worry about autocomplete anymore in any browser.
I also noticed this feature while using a major online payment provider a couple of years ago and have ensured that I have done the same ever since. They used it on the main credit card number field but hadn't added it the CVV field (verification number on the back of the card) I pointed this out and it was passed onto their development team - I?m not sure if it was actioned? That aside, please remember to apply the autocomplete="off" to this field as well, receipts sometimes carry the full card number and expiry etc, this CVV number is all that would stop online purchases on cards without the new Verified By Visa system (or equiv').
setting the autocomplete attribute with javascript doesn't seem to work in firefox.
It does, but you need to set it using the "setAttribute" function like so: elem.setAttribute("autocomplete","off"); This is because Firefox doesn't allow non-standard attributes to be set the short-hand way.
Really, you should be using a secure connection (https) when collecting sensitive information, like credit card detail. IE does not enable autocomplete on https. Although you'll still have the same problem with FF.
I don't see why anyone should be taking credit card numbers on an INSECURE website anyway. As soon as HTTPS is enabled, most common browsers don't use autocomplete. So the very fact that you're even getting this problem means your site is already dangerous. As for injecting it using JS to keep your sites standards compliant - that's just stupid. What's the point in making a standards compliant site, which javascript then messes up by injecting extra non-standard attributes? It would be more reliable and compatible, to simply hard-code the attribute into the HTML, then just ignore the validator warning.
superrrrrrrrrrrrrr rrrrrrrrr
i m using moxila firefox. i tried elem.setAttribute("autocomplete","off"); but it is not working. can u help me with this
no .
Simply use Javascript to do that. <script type="text/javascript"> function clearCC() { document.getElementById('ccnum').value = ""; } window.onload = clearCC; </script> try this code but i didn't check it. i just wrote it here :) .. any problem you may contact me at msn adn_ahsan(at)hotmail(dot)com .. I am web programmer if any of you need any solution just contact me. Thanks
Thanks for the tip Jeff!! The code


worked for FF 3.5 like a breeze :)
Hey... it's my browser, not your's. If I enable the autosave feature, I want to get things saved. If I don't want it, I disable the feature.

So, please, let the users decide. It's not your decision!

It's "embedded," sweetheart.

Also, don't use iFrames.

Also, girls don't code.

cool,it worked:)

Unfortunately, browsers don't tend to let you turn on autocomplete *sometimes*. You turn it on or off. As a user, I would appreciate sites turning off autocomplete on fields relating to credit cards, for example. As a programmer, I would prefer to turn off autocomplete for the same fields to avoid problems. You cannot assume that users will even know how to turn off autocomplete in their browser. Just because someone is buying something online does not mean that they know ANYTHING about computers other than how to go to a web page and type their CC info.

In summary, I believe that there should be a standard for disabling browser autocomplete. It's not a usability nightmare as some people have mentioned. It's a security measure. If my credit card number isn't stored in my browser's autocomplete, that's not an inconvenience, it's a relief.
Aha! Somebody told me there was an "argument" here about autocomplete.

Some good points made from standards perspectives BUT forms are different from what we normally do (which is push information). Forms PULL information.

With autocomplete, we might inadvertantly push what was pulled.

Now consider this: the user is not always whom we think they are. The user might not be whom we intend them to be.

Disabling autocomplete therefore protects the data and the user community. "Do what's good for the user" now includes their online security.
Je ne savais pas comment maitre cela off
This seems to work in Firefox, but in IE the details are still shown when the back button is used!
This seems to work in Firefox, but in IE the details are still shown when the back button is used!
Reza, autocomplete is the dropdown type thing that shows previously entered values when you start typing in a field. If you want field values cleared, use javascript. jQuery makes it easy...

$.each($('input'), function(){
Textbox entry making me halt on Safari browser, below code solve my problem

Thanks Friend...
You would certainly like to develop long-term relationship with the bank that is close to your working place, provides high interest rates, and better services at low fees.

Credit Card Application
mmesOE - hallo guys :D

Hi : )
Buying things on the web or in-store? which often would you prefer? just wondering lol.. i love in-store because i hate waiting for it to come!
thanks for this tips
thanks for this tips 2218153698
By the way, having autocomplete="off" is an implementation recommended by PCI-DSS for password and card data form fields, regardless of whether or not the page is behind an SSL certificate.
Pete, completely agree. Not only is it acceptable to break xHTML for this, but it is also actively required in order to attain PCI-DSS compliance, hence the reason Amazon use it.

I've written an article over at http://www.securatek.net/2011/09/16/why-browser-autocomplete-is-bad-for-security/ that explains exactly why browser autocomplete is bad for security.
The only way I could turn off autofill in Chrome using the autocomplete attribute was to add this in each of the input tags of the form

<input autocomplete="smartystreets">

If you set autocomplete to be anything besides "on" or "off" it will actually disable Chrome autofill

Recent Entries