Make WordPress Core

Opened 6 years ago

Closed 2 years ago

Last modified 2 years ago

#43886 closed enhancement (fixed)

Chrome autofills password over "new password" field when updating user.

Reported by: wraithkenny's profile WraithKenny Owned by: joedolson's profile joedolson
Milestone: 6.0 Priority: normal
Severity: normal Version:
Component: Users Keywords: has-patch commit
Focuses: accessibility, administration Cc:


Chrome, the wonderful browser that it is, is super helpful.

When editing a user (even your own), and attempting to update the password with a nice strong one, Chrome will (helpfully) insert *your* old password into the new password field, right when you click update. (You can tell, because the length of the password will change to your passwords length).

Incognito Mode fixes it, apparently, and uninstalling Chrome in favor of Firefox seems to work too.

From what I've been able to guess, it's because of Chrome's unique implementation of completely ignoring autocomplete="off" and suggests autocomplete="new-password" instead.

Alternatively, <form autocomplete="off"> could possibly work.

It does seem to make sense to disable autocomplete completely on the edit-user form, since it's not actually useful to fill in some random user's info with info from your browser...especially passwords...despite what Chrome seems to believe.

Attachments (2)

43886.2.diff (6.0 KB) - added by joedolson 2 years ago.
Patch refreshed; database password change removed.
43886.3.diff (6.8 KB) - added by joedolson 2 years ago.
Add autocomplete=off to 43886 to resolve 52714.

Download all attachments as: .zip

Change History (19)

#1 @WraithKenny
6 years ago

  • Type changed from defect (bug) to feature request
  • Version set to trunk

#2 @pento
5 years ago

  • Version trunk deleted

#3 @ayeshrajans
5 years ago

Firefox 70 implements autocomplete=new-password now too, and I think this will be a nice UX improvements well.

I will submit patches for password reset and user registration fields.

#4 @bookdude13
4 years ago

This is related to #35707. If Chrome will actually respect new-password I like that approach. Turning the whole form autocomplete off is a blunt solution, but the simplicity of it is appealing...

#5 @sabernhardt
3 years ago

Also related: #52714 (for the new user screen)

#6 @sabernhardt
2 years ago

  • Keywords 2nd-opinion removed
  • Milestone changed from Awaiting Review to 6.0
  • Type changed from feature request to enhancement

This ticket was mentioned in PR #2273 on WordPress/wordpress-develop by konradyoast.

2 years ago

  • Keywords has-patch added; needs-patch removed

#8 @joedolson
2 years ago

  • Owner set to joedolson
  • Status changed from new to accepted

#9 @joedolson
2 years ago

  • Focuses accessibility added

#10 @joedolson
2 years ago

Looking at the PR and the comments on it, I think this is mostly good; but in my opinion the database password field needs to be left as autocomplete="off".

The database password is mostly a one-time use password, and unlikely to be represented in a user's keychain, so 'current-password' is most likely to suggest an invalid password, if it offers anything, and I don't believe 'new-password' would ever offer a valid suggestion, since this is not a password-generating field.

2 years ago

Patch refreshed; database password change removed.

#11 @sabernhardt
2 years ago

43886.2.diff includes the New User page. If no further change is necessary for #52714, both tickets could be closed with the same commit.

This ticket was mentioned in Slack in #accessibility by sabernhardt. View the logs.

2 years ago

This ticket was mentioned in Slack in #accessibility by ryokuhi. View the logs.

2 years ago

#14 @ryokuhi
2 years ago

  • Keywords needs-testing added

This ticket was reviewed today during the Accessibility Team's weekly bug-scrub.
I'm adding the needs-testing label, so that if the latest patch works this can be committed.

2 years ago

Add autocomplete=off to 43886 to resolve 52714.

#15 @sabernhardt
2 years ago

  • Keywords commit added; needs-testing removed

#16 @joedolson
2 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 53111:

Users: Use autocomplete values on user profiles.

Assign appropriate autocomplete values for new and edited user, user email, and password fields.

Props clonemykey, sabernhardt, WraithKenny, bookdude13, konradyoast.
Fixes #43886, #52714.

sabernhardt commented on PR #2273:

2 years ago

changes committed in revision 53111

Note: See TracTickets for help on using tickets.