Recently Firefox started ignoring autoplete="off" for password fields, and now allows the user to save passwords all the time. We have a large application used by thousands of users, and by law we need to ensure that passwords are NEVER saved in plain text on our clients puters.

Is there any way we can prevent Firefox from saving these passwords? We found a workaround for Chrome (it only saves the first password field on the screen, so we added a hidden one before the real one), but we haven't had any luck with Firefox. As of now, the only option we have is to disable Firefox support entirely.

And yes, I realize blocking the user from saving passwords is annoying, but we have no choice ... this is a requirement imposed on us by Federal regulations.

Recently Firefox started ignoring autoplete="off" for password fields, and now allows the user to save passwords all the time. We have a large application used by thousands of users, and by law we need to ensure that passwords are NEVER saved in plain text on our clients puters.

Is there any way we can prevent Firefox from saving these passwords? We found a workaround for Chrome (it only saves the first password field on the screen, so we added a hidden one before the real one), but we haven't had any luck with Firefox. As of now, the only option we have is to disable Firefox support entirely.

And yes, I realize blocking the user from saving passwords is annoying, but we have no choice ... this is a requirement imposed on us by Federal regulations.

• javascript
• html
• firefox

• use <input type="password">? – Mike 'Pomax' Kamermans Commented Aug 21, 2014 at 4:04
• 1 May be this developer.mozilla/en-US/docs/Web/Security/… – Jatin Commented Aug 21, 2014 at 4:05
• Out of curiosity, what industry/country/law has this requirement? – user3553031 Commented Aug 21, 2014 at 4:10
• 4 United States - medical field – Beep beep Commented Aug 21, 2014 at 13:15

4 Answers 4

This question sparked a lot of debate at the office, but we came up with a solution.

Use a button click event to submit the form (instead of a normal submit button). Then populate your hidden field, remove the value of the visible field and submit. JSFIDDLE

Click event sample:

$('#post').click(function(e) {
    var password = $("#password");
    var realPassword = $("#therealdeal");
    realPassword.val(password.val());
    password.val('');
    $('#form').submit();
});

It appears that on a submit event the browser will serialize the form and use the serlized objects values to submit. This is why you can't simply do something like

Not working sample:

$('#form').submit(function(e) {
    var password = $("#password");
    var realPassword = $("#realpassword");
    realPassword.val(password.val());
    password.val('');
});

even though the value on the dom is cleared out before a true submit happens it still reads from the serialized form object.

Tested this in IE, Firefox, and Chrome

Use <input type=text autoplete=off> instead. Such a control will not be affected by password managers at all. It will not mask out the characters that the user types. Otherwise, it works the same as with type=password.

If the usability improvement (no masking out) is not acceptable to the higher powers, you need to create your own masking behaviour (catch input events, change input to “*” or some other masking character, saving the actual input in a hidden field) or find a library tool that does that for you.

Firefox does not store passwords in its autoplete database; it only offers to store them in its password manager. If the user supplies a "master password" in Preferences->Security, the password manager's database in encrypted. Alternately, if you disable the password manager in Preferences->Security, the password manager will never store passwords encrypted or otherwise.

If your objective is to require that passwords be never stored in plain text, trying to prevent browsers from storing them isn't a particularly effective strategy. Users can always just keep a text file full of passwords on their desktops.

Firefox isn't alone at ignoring autoplete="off" with respect to its password manager; Internet Explorer 11 also does that. Firefox's rationale behind this change is recorded at https://bugzilla.mozilla/show_bug.cgi?id=956906. In essence, the consensus is that trying to require that users memorize unique passwords for every site where they have accounts leads to weak, re-used passwords, and that the best strategy for avoiding that is to use password managers. See also this thread: https://security.stackexchange./questions/49326/should-websites-be-allowed-to-disable-autoplete-on-forms-or-fields.

Here's my solution to a similar problem:

This code is executed after the page is loaded:

setTimeout(function(){
    $(".profile-form input[type=password]").val('');
}, 500);

Just allow some time (in this case, 500 ms) after the page is loaded before resetting the value of the input field. I didn't work without the setTimeout.