Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

AutoComplete Not Disabled for 'Password' Field



The remote web application server may be prone to a policy violation.


The remote web server is hosting a form that calls for a user password. However, the 'AutoComplete' functionality has not been disabled for the password. When AutoComplete is enabled, the client machine will store the form data for future use. This can be very dangerous as attackers can target confidential data that has been stored on the client computer.

Note : As of Internet Explorer 11, the 'autocomplete' property is no longer supported for 'input type=password' fields.


Set Autocomplete="OFF" within the web form. Any value other than "off" will result in AutoComplete being enabled. \n\nNote : PVS only reports on the first occurence of this item on a web server. The entire web source should be parsed for similar occurrences.