Why you should not use autocomplete

Several updates to this post below!

Today at Pubcon Matt Cutts of Google once again promoted the use of autocomplete-type, a new property for web forms that works in Chrome (and possibly other browsers, I haven’t checked). Google first introduced it back in January 2012 in this post. I wanted to do this quick post to tell you to turn off autocomplete in your browser.

This test URL will show you why quicker than I can explain it in words. Please try it and come back. If you’re using autocomplete to, for instance, sign up for an email newsletter, you might have just provided that website with your full address and/or (even worse) your credit card details too. It’s as simple as adding the fields to the form and hiding them from the user…

So: turn off autocomplete until your browser has better controls on what gets autofilled.

How to turn off autocomplete in Chrome

In Chrome, go to your Settings, click Advanced, then make sure the top box here (that is checked in the screenshot) is NOT checked:

disable-autocomplete

Post Updates

  • It turns out Matt was talking specifically about requestAutocomplete, which is altogether different. This blogpost explains it best, go read it, as it’s rather cool. It effectively deals with the problem shown above by showing you what will be autocompleted! However, as you can see in the test above, you’re still vulnerable right now if you use “normal” autocomplete.
  • Safari is just as vulnerable to what I showed above as Chrome is. In fact, autocomplete is on by default in it:
    safari autofill
  • Filling credit card info requires you to focus on a credit card specific field that is not the credit card name field. This makes this feature inherently more safe, but it still means you could retrieve your personal address and much more when all you thought you were giving out is your email address or name.

This post first appeared on Yoast. Whoopity Doo!