A local adversary can steal password from the autocomplete feature of the browser

While login to any website by passing username and password then browser will ask to remember or save password, if we click on YES then the credentials will be saved in the plain text format. So it can be easily retrievable. It leads to security issue.

 

To fix it we need to add autocomplete feature for sensitive data in the form in HTML or JSP  as follows.

<input type="password" autocomplete="off" name="pwd"/>

Even After adding the above attribute, browser will be asking remember or save password but when we click on YES then the above attribute override browser settings. So the credentials will not be saved.

If we want enable autocomplete off for all attribute then we have to add the above attribute in the form level as follows.

<form autocomplete="off" name="loginform">

Then entire form parameters will be autocomplete off.

I hope you understood, A local adversary can steal password from the autocomplete feature of the browser.  Please leave a comment or reply.

 

Leave a Reply