Web Security Experts: We're thinking of dropping the "disable autocomplete" requirement from @OWASP Application Security Verification Standard since we think it's outdated and that the standard should focus elsewhere. What say you, experts?
16
4
11
I'd suggest the bigger threat these days have been "bad" sites that hide forms and steal data, not "good" sites that enable autocomplete.
2
So can I read into this that are you ok with us dropping the requirement around disabling autocomplete from ASVS and just not mention it for our next version? And thank you, Andy!
1
That is my general stance, though I defer to @bilcorry and @laraghavan for their likely more informed opinions :)
1
1
2
Safer to allow password managers to store passwords than someone reusing a password because they have to memorize it. For a time, Chrome ignored it for their PW manager, but I think it reverted - @mikewest can chime in.
1
1
That's just the password field. Browsers ignore password field disabling since 2014 I think. But is it wise to tell developers to disable autocomplete in all other fields that might contain sensitive data?
1
2
Replying to @manicode @asteingruebl @owasp @laraghavan @mikewest
It’s probable that the browser already captured autofill data on other websites, and by disabling autofill, you’re adding friction to your website with little/no security benefit to the user. Ultimately, the user has control over autofill via browser settings, let them decide.

Aug 1, 2018 · 9:32 PM UTC

2
1
1
Replying to @bilcorry @manicode @asteingruebl @owasp @mikewest
Agree! The security benefit does NOT outweigh the end-user friction it creates.
1
Replying to @bilcorry @manicode @asteingruebl @owasp @laraghavan
I think I agree with @bilcorry, but I also very much wish that Chrome would move to a full-on-select model in every case. Fully-automatic autofill is a little too automatic for me.
2