Input Autocomplete

Appears when you tell the browser to save your password. The browser stores completed form fields and password locally and automatically fill them when a user revisits the site again.

What can happen?

Password and other PII (personally identifiable information) theft. The browser automatically fills in the forms with previously provided information. If the attacker is able to modify the forms (by, say, an XSS flaw), a leak may take place.


An attacker with local access could obtain the cleartext password just by changing the type of the input from password to text.

Combined with an XSS attack, this can be used to retrieve the victim's password remotely. If an attacker has discovered an XSS vulnerability on a website, they can wait for the victim's browser to automatically fill in the username and password in a login form. They can then easily steal the information by using, for example, the following JavaScript:


...or by changing the action attribute when the form is being submitted.


Set the autocomplete attribute to off on the input or on the whole form.

<input type="password" autocomplete="off"/>
<form autocomplete="off">

Note: Modern browsers will ignore the autocomplete="off" attribute.