Autocomplete is a feature, which remembers submitted user names in sign-in forms and also all words submitted through any forms in the system. This page focuses only on the autocomplete functionality in sign-in forms.
When users try to sign in using a form, the autocomplete feature provides them with a list of already remembered user names. This is convenient for the users in many ways:
- The users do not have to type the whole user name every time they want to sign in.
- If the users forget their user names, this feature can help them sign in.
- It reduces the discomfort of having to type the user names repeatedly on mobile devices.
However, using the autocomplete can pose a security risk. A malicious user who obtains user names from the autocomplete feature may gain access to the users' accounts, for example, using a dictionary attack. Thus, you should always consider the damage a malicious user can do to the users' accounts. This threat mainly depends on the type of application you are creating and how this application will be used (on private computers only or in public places like schools, libraries, etc.).
You should disable autocomplete in applications working with:
- Bank accounts
- Social media
- Sensitive information
On the other hand, autocomplete can be useful in applications like:
- Interest and hobby forums
The autocomplete functionality can be disabled for the username input in sign-in forms using the autocomplete HTML attribute:
<input name="Login1$UserName" class="LogonTextBox" id="Login1_UserName" type="text" maxlength="100" autocomplete="Off" />
To disable autocomplete in sign-in forms:
- Open the Settings application.
- Select the Security & Membership -> Protection setting tree item.
- Clear the Enable Autocomplete check box.
- Click Save.
This check box influences the following sign-in dialogs:
- Sign-in page to the administration interface
- Sign-in web parts
- Shopping cart web part
Note: With autocomplete disabled, the system generates the autocomplete="Off" attribute for username inputs in sign-in forms. However, handling of the attribute depends on individual browsers, configurations, used plugins, etc. Some client configurations and applications may use autocomplete features even when the attribute is set to off.