bgant
commented
7 years ago Ed and I have researched this more and it is confusing...
1) Chrome, Firefox, Safari, and IE all started ignoring autocomplete="off" apparently to help users on mobile phones avoid a lot of typing. 2) Cross-Site Scripting (XSS) may allow hackers to access the autocomplete data from form fields you have filled out that the browser is caching. 3) Chrome told developers to use "made up values" like autocomplete="this-is-special-text" instead of autocomplete="off" and Chrome would not autocomplete that form field.
This issue seems to be unresolved, so I don't see any point in making a change to our services at this time.
Security scans recommend disabling "autocomplete" on password form input. The default html page contains the following line of html that appears to have triggered the alert:
The following URL recommends adding autocomplete="off" or something similar to disable password autocomplete:
https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion