Should autocomplete=“off” be used for all sensitive fields?

Question

What are your thoughts about this issue in regards to an e-commerce environment?

Do you think it is wise to turn autocomplete off on all sensitive input fields such

Answer 1

Unless it is a highly-secure site, I would tend to leave autocomplete on. If it is for a password field, the browser will prompt the user if they want to save the information, at which point the user can make their own decision.

Answer 2

An eCommerce application I worked on several years ago underwent a security audit and one of their recommendations was to disable autocomplete for sensitive fields.

It wasn't a strict requirement, but it probably will be at some point, given how eCommerce standards are these days..

Answer 3

It depends what you mean by e-commerce. In Internet banking you should disable autocomplete. In online shopping - not necessarily.

It's worth remembering that autocomplete does not force remembering passwords. User has to agree to store their credentials, so they always can reject.

Answer 4

I really dislike that when I start to type in my credit card number and it lists all of the numbers I have used in the past, as well as the 3 digit code. Not cool IMO.

Answer 5

I hate websites that do that. It is the client's decision if they want to save passwords or not. What is particularly irksome is that this attribute breaks OS X's native KeyChain support. So, even though the user has stored his password in a secure file, and authorized themselves and the application to use it, the website still thinks it knows better. Just plain annoying.

Answer 6

I use password/form managers like 1Password and RoboForm specifically to get around websites that disable autocomplete; these add-ons typically ignore the website's preferences in favor of their own more sophisticated logic.