Turn off autocomplete for credit card input

October 07, 2005
web

Memo to web developers building sites that accept credit card numbers:

Always, always set autocomplete="off" in the input tag. For example:

<input type="text" name="cc" autocomplete="off" />

Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere). This is especially dangerous if someone enters their credit card number from a public computer.

The only downside to using this attribute is that it is not standard (it works in IE and Mozilla browsers), and would cause XHTML validation to fail. I think this is a case where it's reasonable to break validation however.

I have been mentioning this to people a few years, but I just realized that I have never blogged about it.


Like this? Follow me ↯


You might also like:

92 people found this page useful, what do you think?

Comments

I agree . . . this is truly irritating. Priceline.com is a big culprit of that tactic.
Jason G: If I'm not mistaken, that method might stop the browser from filling in the field automatically, but it would still leave the number stored in plaintext on the hard drive, which is the REAL issue.
Yes, it works. That's great. And it doesn't store the field information anywhere on the computer. Nice :)
thank you for this. I was wondering how I could turn it off on my web page completely. I have imbedded iframes and the auto complete does not work correctly so I'd just like to turn it off completely.
About this feature autocomplete=off: Opera browsers induce you for each site, whether you wish to rescue pair the user/password or not. But the opera has decided to not allow support autofull by default. Sysadmin presumed it in a corporate environment. Sites which reject autofull, really do not help users, I think: if you do not presume to remember to a browser the password, you, more possibly, will use the easy password, or to place the sticky note concerning your monitor. How it does a banking online by more safe?
kevotheclone: I reckon you have to have at least three hands to do that.... you can manually delete the autocomplete entries: 1) Press Alt+Down Arrow 2) Select the autocomplete entry to delete with your mouse or my pressing the Down Arrow key 3) Press the Delete key
Because the "autocomplete" parameter works only in Internet Explorer, then i will present you my simple solution ( in this case PHP ) : First page ( HTML Form ) : <form method="post"> <input type="hidden" name="username" value="random1"> <input type="hidden" name="password" value="random2"> Username: <input type="text" name="random1" value=""><br /> Password: <input type="password" name="random2" value=""> </form> Where "random1" and "random2" are random names generated, you can use in combination with unix time. Second page ( PHP output ) : <?php if ( isset($_POST['username'], $_POST['password']) && isset($_POST[$_POST['username']], $_POST[$_POST['password']]) ) { echo 'Username: '.$_POST[$_POST['username']].'<br />'. 'Password: '.$_POST[$_POST['password']]; } ?> With this simple solution you will don't worry about autocomplete anymore in any browser.
I don't see why anyone should be taking credit card numbers on an INSECURE website anyway. As soon as HTTPS is enabled, most common browsers don't use autocomplete. So the very fact that you're even getting this problem means your site is already dangerous. As for injecting it using JS to keep your sites standards compliant - that's just stupid. What's the point in making a standards compliant site, which javascript then messes up by injecting extra non-standard attributes? It would be more reliable and compatible, to simply hard-code the attribute into the HTML, then just ignore the validator warning.
i m using moxila firefox. i tried elem.setAttribute("autocomplete","off"); but it is not working. can u help me with this
Simply use Javascript to do that. <script type="text/javascript"> function clearCC() { document.getElementById('ccnum').value = ""; } window.onload = clearCC; </script> try this code but i didn't check it. i just wrote it here :) .. any problem you may contact me at msn adn_ahsan(at)hotmail(dot)com .. I am web programmer if any of you need any solution just contact me. Thanks
This seems to work in Firefox, but in IE the details are still shown when the back button is used!
This seems to work in Firefox, but in IE the details are still shown when the back button is used!
Textbox entry making me halt on Safari browser, below code solve my problem
autocomplete="off".

Thanks Friend...
You would certainly like to develop long-term relationship with the bank that is close to your working place, provides high interest rates, and better services at low fees.

Credit Card Application
http://creditcardapplication.cc/
Pete, completely agree. Not only is it acceptable to break xHTML for this, but it is also actively required in order to attain PCI-DSS compliance, hence the reason Amazon use it.

I've written an article over at http://www.securatek.net/2011/09/16/why-browser-autocomplete-is-bad-for-security/ that explains exactly why browser autocomplete is bad for security.


Foundeo Inc.