#43886 closed enhancement (fixed)
Chrome autofills password over "new password" field when updating user.
Reported by: | WraithKenny | Owned by: | joedolson |
---|---|---|---|
Milestone: | 6.0 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Users | Keywords: | has-patch commit |
Focuses: | accessibility, administration | Cc: |
Description
Chrome, the wonderful browser that it is, is super helpful.
When editing a user (even your own), and attempting to update the password with a nice strong one, Chrome will (helpfully) insert *your* old password into the new password field, right when you click update. (You can tell, because the length of the password will change to your passwords length).
Incognito Mode fixes it, apparently, and uninstalling Chrome in favor of Firefox seems to work too.
From what I've been able to guess, it's because of Chrome's unique implementation of completely ignoring autocomplete="off"
https://bugs.chromium.org/p/chromium/issues/detail?id=370363#c7 and suggests autocomplete="new-password"
instead.
Alternatively, <form autocomplete="off">
could possibly work. https://stackoverflow.com/questions/15738259/disabling-chrome-autofill
It does seem to make sense to disable autocomplete completely on the edit-user form, since it's not actually useful to fill in some random user's info with info from your browser...especially passwords...despite what Chrome seems to believe.
Attachments (2)
Change History (19)
#4
@
5 years ago
This is related to #35707. If Chrome will actually respect new-password
I like that approach. Turning the whole form autocomplete off is a blunt solution, but the simplicity of it is appealing...
#6
@
3 years ago
- Keywords 2nd-opinion removed
- Milestone changed from Awaiting Review to 6.0
- Type changed from feature request to enhancement
This ticket was mentioned in PR #2273 on WordPress/wordpress-develop by konradyoast.
3 years ago
#7
- Keywords has-patch added; needs-patch removed
Trac ticket: https://core.trac.wordpress.org/ticket/43886
#10
@
3 years ago
Looking at the PR and the comments on it, I think this is mostly good; but in my opinion the database password field needs to be left as autocomplete="off".
The database password is mostly a one-time use password, and unlikely to be represented in a user's keychain, so 'current-password' is most likely to suggest an invalid password, if it offers anything, and I don't believe 'new-password' would ever offer a valid suggestion, since this is not a password-generating field.
#11
@
3 years ago
43886.2.diff includes the New User page. If no further change is necessary for #52714, both tickets could be closed with the same commit.
This ticket was mentioned in Slack in #accessibility by sabernhardt. View the logs.
3 years ago
This ticket was mentioned in Slack in #accessibility by ryokuhi. View the logs.
3 years ago
#14
@
3 years ago
- Keywords needs-testing added
This ticket was reviewed today during the Accessibility Team's weekly bug-scrub.
I'm adding the needs-testing
label, so that if the latest patch works this can be committed.
sabernhardt commented on PR #2273:
3 years ago
#17
changes committed in revision 53111
Firefox 70 implements
autocomplete=new-password
now too, and I think this will be a nice UX improvements well.I will submit patches for password reset and user registration fields.