Turn off autocomplete for credit card input
Memo to web developers building sites that accept credit card numbers:
Always, always set
autocomplete="off" in the
input tag. For example:
<input type="text" name="cc" autocomplete="off" />
Otherwise, if people have the form completion feature turned on their credit card number will be stored in plain text somewhere on the computer (in the registry, or elsewhere). This is especially dangerous if someone enters their credit card number from a public computer.
The only downside to using this attribute is that it is not standard (it works in IE and Mozilla browsers), and would cause XHTML validation to fail. I think this is a case where it's reasonable to break validation however.
I have been mentioning this to people a few years, but I just realized that I have never blogged about it.
Like this? Follow me ↯Tweet Follow @pfreitag
You might also like:
Credit Card Application
I've written an article over at http://www.securatek.net/2011/09/16/why-browser-autocomplete-is-bad-for-security/ that explains exactly why browser autocomplete is bad for security.