Web Security Experts: We're thinking of dropping the "disable autocomplete" requirement from @OWASP Application Security Verification Standard since we think it's outdated and that the standard should focus elsewhere. What say you, experts?
16
4
11
I'd suggest the bigger threat these days have been "bad" sites that hide forms and steal data, not "good" sites that enable autocomplete.
2
So can I read into this that are you ok with us dropping the requirement around disabling autocomplete from ASVS and just not mention it for our next version? And thank you, Andy!
1
That is my general stance, though I defer to @bilcorry and @laraghavan for their likely more informed opinions :)
1
1
2
Replying to @asteingruebl @manicode @owasp @laraghavan
Safer to allow password managers to store passwords than someone reusing a password because they have to memorize it. For a time, Chrome ignored it for their PW manager, but I think it reverted - @mikewest can chime in.

Aug 1, 2018 路 7:19 PM UTC

1
1
Replying to @bilcorry @asteingruebl @owasp @laraghavan @mikewest
That's just the password field. Browsers ignore password field disabling since 2014 I think. But is it wise to tell developers to disable autocomplete in all other fields that might contain sensitive data?
1
2
It鈥檚 probable that the browser already captured autofill data on other websites, and by disabling autofill, you鈥檙e adding friction to your website with little/no security benefit to the user. Ultimately, the user has control over autofill via browser settings, let them decide.
2
1
1
more replies