Require autocomplete attribute on password inputs
- Rule ID:
- autocomplete-password
- Category:
- Security
- Standards:
- -
Password input fields should have a proper autocomplete attribute to control browser password autofill behavior.
Browsers and password managers often ignore autocomplete="off" for password fields and autofill them anyway.
This can lead to unexpected behavior where users unknowingly submit autofilled passwords for unrelated fields.
This rule ensures that:
- All
<input type="password">elements have anautocompleteattribute - The
autocompleteattribute is not set to"off" - Optionally, the
autocompletevalue matches a configured preferred value
See HTML specification for more information about autocomplete tokens.
Rule details
Examples of incorrect code for this rule:
<input type="password">
<input type="password" autocomplete="off">
Examples of correct code for this rule:
<input type="password" autocomplete="new-password">
Options
This rule takes an optional object:
{
"preferred": null
}
preferred
When set, this option requires all password inputs to use a specific autocomplete value.
Examples of incorrect code with { "preferred": "new-password" }:
<input type="password" autocomplete="current-password">
Examples of correct code with { "preferred": "new-password" }:
<input type="password" autocomplete="new-password">
Version history
- 10.8.0 - Rule added.