Why you should not use autocomplete

Today at Pubcon Matt Cutts of Google once again promoted the use of autocomplete-type, a new property for web forms that works in Chrome (and possibly other browsers, I haven’t checked). Google first introduced it back in January 2012 in this post. I wanted to do this quick post to tell you to turn off autocomplete in your browser.

This test URL will show you way quicker than I can explain it in words. Please try it and come back. If you’re using autocomplete to, for instance, sign up for an email newsletter, you might have just provided that website with your full address and/or (even worse) your credit card details too. It’s as simple as adding the fields to the form and hiding them from the user…

So: turn off autocomplete until your browser has better controls on what gets autofilled.

How to turn off autocomplete in Chrome

In Chrome, go to your Settings, click Advanced, then make sure the top box here (that is checked in the screenshot) is NOT checked:

disable-autocomplete

Post Updates

  • It turns out Matt was talking specifically about requestAutocomplete, which is altogether different. This blogpost explains it best, go read it, as it’s rather cool. It effectively deals with the problem shown above by showing you what will be autocompleted! However, as you can see in the test above, you’re still vulnerable right now if you use “normal” autocomplete.
  • Safari is just as vulnerable to what I showed above as Chrome is. In fact, autocomplete is on by default in it:
    safari autofill
  • Filling credit card info requires you to focus on a credit card specific field that is not the credit card name field. This makes this feature inherently more safe, but it still means you could retrieve your personal address and much more when all you thought you were giving out is your email address or name.

Joost de Valk is the founder and CEO of Yoast. He's a WordPress / Web developer, SEO and an Open Source fanatic. He's also (and more importantly) the father of three sons called Tycho, Ravi and Borre, a daughter called Wende and the husband of the lovely Marieke, who also works at Yoast. Read more about Joost and find all of his posts »


60 Responses to Why you should not use autocomplete

  1. Ryan Cote
    Ryan Cote  • 5 years ago

    I am also thinking if someone has basic info about you, such as your email address, they can get their hands on your computer and start auto-filling out all kinds of forms without your knowledge. Fortunately, it’s a quick fix.

  2. Mitchell
    Mitchell  • 5 years ago

    Hello Joost:
    Thank you very much for explaining autocomplete.

    Web forms have not changed much since the 90’s. Autocomplete, in its current state, is not a welcome change.

    Best wishes, Mitchell

  3. Arbaz K
    Arbaz K  • 5 years ago

    That is really an informative article. Thanks for sharing this stuff with us. I just deactivated the autofill option to stay on the safe side.

  4. JAAS
    JAAS  • 5 years ago

    I just deactivated after reading this. Thanks for the info

  5. Muhammad Abdullah
    Muhammad Abdullah  • 5 years ago

    Absolutely lovely!! Good Work
    Thanks for the sharing information alike. Its really so productive as well as this website. I am so Happy!!!

    Thanks,
    Muhammad Abdullah

  6. Steve Schellert
    Steve Schellert  • 5 years ago

    This is really good. I did not fully understand the pitfalls of not shutting off autocomplete.

  7. channarith
    channarith  • 5 years ago

    Thanks for sharing. I just done it .

  8. Portões Automáticos
    Portões Automáticos  • 5 years ago

    Thanks for sharing this information!

  9. TJ Draper
    TJ Draper  • 5 years ago

    Safari 7 (at least with Mavericks) is much smarter about this. It actually showed me a popup of all the info it was about to fill in and wanted to know if I was really really sure I wanted to give away all that information. Given that, I’m leaving auto-complete on.

  10. Jaleel Hamid
    Jaleel Hamid  • 5 years ago

    Wow… scary stuff.
    Thanks for the heads up Yoast! :-)

  11. Sohail waris
    Sohail waris  • 5 years ago

    I am 100% agree with you but before reading this article my opinion was really negative.

  12. Dave Bezaire
    Dave Bezaire  • 5 years ago

    I’m with you! I’ve been an advocate of RoboForm (and the others now available like LastPass and KeePass) for many years. In a world of so many spies, I want to control at least some of my info!

    Dave

  13. Bartosz
    Bartosz  • 5 years ago

    I think that autocomplete will always be in use.. because it makes our life easier and reduce number of clickick ; )

  14. Durga Swaroop
    Durga Swaroop  • 5 years ago

    I never would have thought that such things happen. I use auto fill tool almost everyday. But, yea, i’ve deactivated it.Thanks for the info. :)

  15. Bruce
    Bruce  • 5 years ago

    Thank you for sharing this Yoast
    I like it!

  16. Faust
    Faust  • 5 years ago

    does incognito mode in chrome still works for autocomplete?

  17. Gabriel Gasparolo
    Gabriel Gasparolo  • 5 years ago

    I just checked on Safari (OS X Mavericks) and it alerts me what information is going to be sent.

  18. reprezenta
    reprezenta  • 5 years ago

    I guess taking that extra minute to fill a form by yourself seems legit now!

  19. Mike
    Mike  • 5 years ago

    This apparently doesn’t happen on Safari 7 with Mavericks. I hit tab to invoke the auto complete prompt, and none of the other fields are filled except for the one.

  20. Ramiro
    Ramiro  • 5 years ago

    The term “autocomplete” is misleading. The values that go into autocomplete fields come from the server and not your browser. It’s what is used for Google search etc.

    What you/Matt Cutts are talking about is AutoFill, which is indeed something you shouldn’t use.

  21. Toan
    Toan  • 5 years ago

    Thank you for posting this Yoast.
    I like it

  22. Hieu
    Hieu  • 5 years ago

    Good advance . Thanks for share

  23. Sean Markey
    Sean Markey  • 5 years ago

    Thank you for posting this Yoast. I had no idea autofill could be so open to abuse. I’ll be making sure to tell everyone I know about it and sending them on to this post.
    ,Sean

  24. Raghav
    Raghav  • 5 years ago

    Okay, till this time i was thinking chrome was only filling up few details that were asked, but if somehow some spammy or malicious sites get our personal or financial data.. it will be completely our fault..

    After knowing this I’m done with auto-complete..

  25. Arup Ghosh
    Arup Ghosh  • 5 years ago

    Autocomplete is a useful but dangerous feature .

  26. Nghe nh?c ch?t l??ng cao
    Nghe nh?c ch?t l??ng cao  • 5 years ago

    Good advance, I get some experiences when see this post. Thank you

  27. Sneha Malik
    Sneha Malik  • 5 years ago

    It is also happens with me on Mozilla Firefox :(

    • Unlockboot
      Unlockboot  • 5 years ago

      Yes, I got the same problem in Firefox.

  28. Nimitz
    Nimitz  • 5 years ago

    Good thing I am not fun of using autocomplete button.

    I always turn it off when it shows up!

  29. satnam
    satnam  • 5 years ago

    Sorry guys, this question is not related to this post. Unfortunately, comments are closed on the other post. And please bear with someone who is a beginner among you experts.

    Post: http://yoast.com/change-wordpress-permalink-structure/

    I use ProPhoto, and I see two .htaccess files. One is in www directory and other is in public_html. Where do I add the redirect code, or does it need to be in both places?

    Thanks.

  30. Bub
    Bub  • 5 years ago

    With Chrome’s developer tools, you can reveal the hidden form fields on the sample form and see how they are being populated, without even submitting the form to Yoast.

    I tried it out, and although my credit card information is stored in Chrome, I found that the form would not autopopulate the credit card fields, unless I actually used autocomplete on the cc-number, cc-exp-month, or cc-exp fields. And when you do that, Chrome pops up its dropdown with the credit card logo, so you know that it is happening.

    In short, I don’t think that you have demonstrated that this technique can be used to steal credit card information without your knowledge. On the other hand, it is able to grab other information such as full name, physical address, and email address. Although the sample form didn’t include telephone, I was able to twiddle it to see that it could grab that as well.

  31. SeoZebra
    SeoZebra  • 5 years ago

    I think, it has connection with the Snowden story…

  32. Ranger
    Ranger  • 5 years ago

    Yak, that is really scary.

  33. nikhil
    nikhil  • 5 years ago

    The same issue perfectly working in firefox latest version browser as well, while pentesting some applications.

  34. Raw Hasan
    Raw Hasan  • 5 years ago

    Thanks for alerting. Removed the feature from chrome right away.

  35. ninjustin
    ninjustin  • 5 years ago

    This feature has been known to not have any security for years. Stuff is just kept in plain text files. Find a 3rd party alternative like Last Pass or something that encrypts your information if you want auto-complete. I’d rather pay attention to what info I’m giving someone anyway.

  36. Matt Sells
    Matt Sells  • 5 years ago

    Agree 100%!!
    PS: I like to see micro posts.

  37. Roger Lapin
    Roger Lapin  • 5 years ago

    I use Firefox and it only entered my name?
    Is that ok, I didn’t even know what auto complete was, I was told by an IT security person to use Firefox over any other browser..

  38. finferflu
    finferflu  • 5 years ago

    This also happens in Safari unfortunately :(

  39. Andrew
    Andrew  • 5 years ago

    Thanks for the info. Will share your website link on our Facebook page for others to know.

  40. Hayden Chudy
    Hayden Chudy  • 5 years ago

    Thoughts on just curating your auto-complete? I just went into settings and you can manage every entry and delete them. I never save credit cards and never will, with properly curated addresses all they can get are your phone number or email, which doesn’t bother me since I can block spam.

    Unless I’m missing something major.

  41. Karl
    Karl  • 5 years ago

    Or manage your auto-complete entries and make sure anything you don’t want revealed (Like a credit card) is not saved.
    ———————
    Click the Chrome menu Chrome menu on the browser toolbar.
    Select Settings.
    Click Show advanced settings and find the “Passwords and forms” section.
    Click Manage Autofill settings.
    ———————
    Or, simply bookmark this URL for easy access:
    chrome://settings/autofill

  42. Adeel Sami
    Adeel Sami  • 5 years ago

    Thank you, Joost! I always had bad feeling about auto-complete and never had it turned on for me.

  43. Scott
    Scott  • 5 years ago

    Thanks for the great tip Yoast.

  44. Sav
    Sav  • 5 years ago

    Just what I’ve entered. Got autocomplete on.

  45. Sheifu
    Sheifu  • 5 years ago
  46. Martijn
    Martijn  • 5 years ago

    @Brian, not everything’s a tradeoff. It’s a matter of being consciouss about your privacy, and the motivation of big, commercial companies to gather as much information about you and me as possible. To deal with this growing danger, luckily there are options to choose from.. And these options are a lot more than just choosing between autocomplete or manually typing in our info.

  47. John Garrett
    John Garrett  • 5 years ago

    Curses. I autocompleted this comment form. Oh, well…I guess I can trust Yoast :)

    So I guess this also goes for services like Lastpass.com and the like? I assume their “fill form” feature will fill in the hidden fields just as well?

    I wonder if there’s a way for autocomplete to check if a field is visible or deliberately hidden and either alert the user, or be set to never fill those fields in?

    I suppose the only way you could be sure is to turn it off completely.

    • Wayne
      Wayne  • 5 years ago

      I found this over on the lastpass forums.

      “We make an effort to avoid filling into hidden fields, but it could be possible for a site to use advanced CSS techniques to end up with a field that is technically visible, but (for example) is rendered off the screen.

      I personally generally work around this by having a form fill profile without sensitive data (I call it “No Financial Info”), and I use that form fill profile when I’m filling into a page that I know I don’t want to provide sensitive data to.”

      • John Garrett
        John Garrett  • 5 years ago

        Thanks Dean and Wayne, that’s good info.

        The convenience of autocomplete isn’t worth the potential consequences, so off it goes.

    • Daan Kortenbach
      Daan Kortenbach  • 5 years ago

      You shouldn’t trust Yoast.com (or any website). Hidden fields could be injected by other parties without you (or Yoast) knowing about it. If you have ever visited a website through an anonymous proxy your cache could be infected by an altered JavaScript file with a long expire time. For instance jQuery loaded from a general CDN (like Google’s and used by many WordPress sites) could be altered to add malicious code which you would consecutively and unknowingly use on every site that loads that jQuery file. Luckily Yoast loads his jQuery from his own CDN so the risk is lower but he does load some other JavaScript from other parties (which website does not load ga.js?), these could easily be infected by a malicious anonymous proxy owner.

      Yoast his advice is valid, turn off autocomplete. And think before you do.

      Some additional advice…
      – Never use “free anonymous” proxies (if the product is free, you are the product)
      – Clean your browser cache regulary
      – If you must use autocomplete, use a password manager like 1Passwork or LastPass

  48. Hassan
    Hassan  • 5 years ago

    Crap! I never knew this, but I always turn off autofill, never remember passwords etc. and the like.

  49. Brian Morearty
    Brian Morearty  • 5 years ago

    Everything’s a tradeoff. If you do use autocomplete, keyloggers won’t capture what you entered.

    • Rob
      Rob  • 5 years ago

      and if you have a key logger installed then that trojan that’s also installed probably already took all your stored data…

    • boohbah
      boohbah  • 5 years ago

      you can use a software like Trusteer Rapport to block keyloggers

    • Caspy7
      Caspy7  • 5 years ago

      Isn’t someone more likely to use this technique to get your information than get a keylogger on your system?

    • Angel
      Angel  • 5 years ago

      Very interesting point, Brian. Never thought about that.

      • Jacob
        Jacob  • 5 years ago

        But it’s much harder to install a keylogger on a users machine than it is to take some free data that the browser is posting to you.

  50. Benjamin
    Benjamin  • 5 years ago

    This new feature seems dangerous indeed. Thanks for the information, I just desactivated it.

    I personally use lastpass to fill forms, like that I don’t have to type everything again, but I can still control what happens.


Check out our must read articles about Analytics

Tools to improve your online marketing campaign

Take your online marketing to the next level with these easy-to-use and insightful online marketing tools to help you optimize your site!

Read article »

Tracking your SEO with Google Analytics: a how-to

How do you start tracking your SEO? In this how-to guide, we'll explain how to track your SEO with Google Analytics!

Read article »

Twitter Analytics: stats for your tweets

Twitter Analytics can help you set up and maintain the right Twitter strategy. We'll explain what can be learned from Twitter Analytics.

Read article »