[kstrauser]

Good. I have never, not once, seen autocomplete=off where it actually made sense, except in the minds of a developer who erroneously thinks it's a good idea to block password managers.

I can imagine legitimate hypothetical use cases for it. I've just never seen a legitimate actual use case.

Edit: NIST says (in https://pages.nist.gov/800-63-FAQ/#q-b12):

> In SP 800-63B, NIST has not explicitly recommended the use of password managers, but recommends that verifiers permit the use of “paste” functionality so that the subscriber can use a password manager if desired.

I'll take their word over some rando app developer who doesn't want users to have a working 1Password setup.

[mark242]

Two-factor auth selecting focus and suddenly seeing a dropdown of old, worthless 6-digit numbers comes to mind.

[scrollaway]

There is `autocomplete="one-time-code"` for this.

The autocomplete attribute is very extensive.

https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes...

[kstrauser]

I've never seen that in the wild.

[banana_giraffe]

Consider yourself lucky.

I don't recall the service, but one employer of mine had both the suggestions for the MFA token, and as an added bonus, the browser would attempt to correct the "typo" in my username.

[jaywalk]

This is about more than just password fields, although that is a big one.

I can give you a legitimate, actual use case where I had to develop a workaround: a page where an admin can change the password for a user. Under no circumstances would an autofill be desirable on that page, yet Chrome thinks it knows best.

[codyswann]

set autoFill to "new-password"

[LeifCarrotson]

Edit: I stand corrected, this approach worked for me when I was building an internal app but apparently doesn't work at other times.

Just don't give the input an "id=password" and Chrome won't throw your password into it.

It's just a label, the autofill is because it matches all the other sites where you do want Chrome to autofill your password.

[jaywalk]

Ha, how did you come up with that nonsense solution? You've obviously never actually dealt with this if you think that would work.

[dariusj18]

Yeah, Chrome can be very devious at figuring it out. I've had success using `autocomplete="new-password"` at least.

[jsnell]

Forms implementing their own autocompletion logic seem like a pretty compelling case. E.g. for a search input, it makes sense to offer suggestions based on the domain (valid values, popular searches) rather than previous inputs for the same browser.

[sedatk]

Yes, we turn it off on the searchbox of our web page because browser's autocomplete gets in the way of our own despite being much less useful.

[ddoolin]

> I work on a health industry related web app. Our web app is used by health professionals on tablets that are shared between their team members. We have a form within our app that enables our customers (the health professionals) to set up new Clients (their patients).

> Autofill is a Privacy Violation here as it is retaining identity information about Clients when it MUST NOT.

Seems to make perfectly fine sense to me.

[nomel]

The problem is not in the autofill, it's storing the information in the first place!

[true_religion]

Will it store things that were placed into a field with auto fill off?

[SAI_Peregrinus]

AFAIK yes, caching can do so. Even if it doesn't, autofill=off doesn't require it to not store the data, just to not fill it in. Things like session resumption can still store and refill it.

[matheusmoreira]

The web app has no control over what information the browser is and isn't saving. Autofill can and should be disabled in the browser in that case.

[VWWHFSfQ]

It's useful for <input type=password ...> fields that aren't _actually_ passwords. For instance if a UI wants to hide some secret value and then have a click-to-reveal button. autocomplete=off makes sense in these cases because otherwise the browser tries to show worthless autocomplete dropdowns and if there's any form on the page then submitting it will also prompt you to save it in the autocomplete database. Which is also annoying (and worthless).

[daveslash]

When you're trying to deploy your app to a U.S. Department of Defense environment. This includes things like the Veterans Affairs network of hospitals, too. It's a requirement that your web-app has autocomplete disabled (I don't have the DISA STIG ID# off hand...).

I was faced with this dilemma a few years ago. IIRC, the workaround was sketchy as hell. It was something like creating a password input field with the visibility set to none (and then chrome would autofill it, but it wouldn't be visible), and then the user enters their password into a regular text box, but you style the text box with CSS so that it appears as all discs. ~It was something like that, don't recall exactly.

[TheCoelacanth]

Browsers should be designed to best serve their users, not to cater to misguided security requirements.

[elric]

This is one of my pet peeves. Browsers used to be called User Agents. But they've become increasingly user hostile. I want to be able to tell my browser what to remember. Not some random manager/developer who thinks it's insecure for me to have a form field remember my username.

This is one of the areas where browsers could really add some value. Make it easier to decide what to (not) remember. Make it easier to view and edit what's remembered. This is all a tedious pain at the moment, for no good reason I can see.

[G4BB3R]

Autofill many times fill data in wrong fields, and it break UI style too.

[therein]

Yeah, so weird to see so many cheer for it here. I am surprised.

For me, Chrome has countless times clobbered the context-aware autofill (address fields, countries etc.) provided by the website with their useless autofill overlays.

I would much prefer if I could all together disable Chrome's suggestions in DOM input fields. Even when it has nothing to autofill, it sometimes puts something in there to take me to autofill settings or something.

[derekp7]

I have an app at work that has a Search box. Used to accept regex patterns for selecting a host by name or description on the inventory list below. When clicking on that search box, it pops up a list of other search terms that I've entered on other web sites, which has absolutely nothing to do with this app. And when in a zoom meeting, I really don't want others to see my previously typed-in searches.

At least this is one of the top complaints about my app that I get from the customer service folks that use it. I ended up somewhat fixing this by renaming the field, but sometimes it will still pop in something strange -- is Chrome picking up the word "Search" that appears as part of the user facing page content, even if the field ID is different?

[chaosharmonic]

I take it you've never seen Chrome's built-in autofill conflict with an extension that the user installed on purpose?

[salzig]

hell yes. But even worse are customers that want exactly this for "security reasons".

edit: on login pages, beside those are some legitimate usecases.

[Pfhreak]

The linked issue mentions one -- data entry at a medical clinic where new users are being signed up.

[nobodyshere]

And that can be managed by proper browser settings at that establishment.

[berniemadoff69]

the input field to a chatroom, https://i.imgur.com/jhZj8Ur.png

[astura]

>I can imagine legitimate hypothetical use cases for it. I've just never seen a legitimate actual use case.

I find it somewhat annoying that when I fill out my timecard at the end of the day autocomplete is on the hours field. I never want it to pop up my previous hours worked, that's annoying, I only want to enter the hours I worked today.