Why you should not use autocomplete
Today at Pubcon Matt Cutts of Google once again promoted the use of autocomplete-type, a new property for web forms that works in Chrome (and possibly other browsers, I haven’t checked). Google first introduced it back in January 2012 in this post. I wanted to do this quick post to tell you to turn off autocomplete in your browser.
This test URL will show you way quicker than I can explain it in words. Please try it and come back. If you’re using autocomplete to, for instance, sign up for an email newsletter, you might have just provided that website with your full address and/or (even worse) your credit card details too. It’s as simple as adding the fields to the form and hiding them from the user…
So: turn off autocomplete until your browser has better controls on what gets autofilled.
How to turn off autocomplete in Chrome
In Chrome, go to your Settings, click Advanced, then make sure the top box here (that is checked in the screenshot) is NOT checked:
- It turns out Matt was talking specifically about
requestAutocomplete, which is altogether different. This blogpost explains it best, go read it, as it’s rather cool. It effectively deals with the problem shown above by showing you what will be autocompleted! However, as you can see in the test above, you’re still vulnerable right now if you use “normal” autocomplete.
- Safari is just as vulnerable to what I showed above as Chrome is. In fact, autocomplete is on by default in it:
- Filling credit card info requires you to focus on a credit card specific field that is not the credit card name field. This makes this feature inherently more safe, but it still means you could retrieve your personal address and much more when all you thought you were giving out is your email address or name.