A local adversary can steal password from the autocomplete feature of the browser

While login to any website by passing username and password then browser will ask to remember or save password, if we click on YES then the credentials will be saved in the plain text format. So it can be easily retrievable. It leads to security issue.


To fix it we need to add autocomplete feature for sensitive data in the form in HTML or JSP  as follows.

<input type="password" autocomplete="off" name="pwd"/>

Even After adding the above attribute, browser will be asking remember or save password but when we click on YES then the above attribute override browser settings. So the credentials will not be saved.

If we want enable autocomplete off for all attribute then we have to add the above attribute in the form level as follows.

<form autocomplete="off" name="loginform">

Then entire form parameters will be autocomplete off.

I hope you understood, A local adversary can steal password from the autocomplete feature of the browser.  Please leave a comment or reply.


The Author


Hello! I am Narayanaswamy founder and admin of narayanatutorial.com. I have been working in IT industry more than 7 years. NarayanaTutorial is my web technologies blog. My specialties are Java / J2EE, Spring, Hibernate, Struts, Webservices, PHP, Oracle, MySQL, SQLServer, Web Hosting and Website Development. I am a self learner and passionate about training and writing. I am always trying my best to share my knowledge through my blog.

Leave a Reply