Make WordPress Core

Opened 6 years ago

Closed 20 months ago

Last modified 19 months ago

#43886 closed enhancement (fixed)

Chrome autofills password over "new password" field when updating user.

Reported by: wraithkenny's profile WraithKenny Owned by: joedolson's profile joedolson
Milestone: 6.0 Priority: normal
Severity: normal Version:
Component: Users Keywords: has-patch commit
Focuses: accessibility, administration Cc:


Chrome, the wonderful browser that it is, is super helpful.

When editing a user (even your own), and attempting to update the password with a nice strong one, Chrome will (helpfully) insert *your* old password into the new password field, right when you click update. (You can tell, because the length of the password will change to your passwords length).

Incognito Mode fixes it, apparently, and uninstalling Chrome in favor of Firefox seems to work too.

From what I've been able to guess, it's because of Chrome's unique implementation of completely ignoring autocomplete="off" and suggests autocomplete="new-password" instead.

Alternatively, <form autocomplete="off"> could possibly work.

It does seem to make sense to disable autocomplete completely on the edit-user form, since it's not actually useful to fill in some random user's info with info from your browser...especially passwords...despite what Chrome seems to believe.

Attachments (2)

43886.2.diff (6.0 KB) - added by joedolson 21 months ago.
Patch refreshed; database password change removed.
43886.3.diff (6.8 KB) - added by joedolson 20 months ago.
Add autocomplete=off to 43886 to resolve 52714.

Download all attachments as: .zip

Change History (19)

#1 @WraithKenny
6 years ago

  • Type changed from defect (bug) to feature request
  • Version set to trunk

#2 @pento
5 years ago

  • Version trunk deleted

#3 @ayeshrajans
4 years ago

Firefox 70 implements autocomplete=new-password now too, and I think this will be a nice UX improvements well.

I will submit patches for password reset and user registration fields.

#4 @bookdude13
4 years ago

This is related to #35707. If Chrome will actually respect new-password I like that approach. Turning the whole form autocomplete off is a blunt solution, but the simplicity of it is appealing...

#5 @sabernhardt
3 years ago

Also related: #52714 (for the new user screen)

#6 @sabernhardt
2 years ago

  • Keywords 2nd-opinion removed
  • Milestone changed from Awaiting Review to 6.0
  • Type changed from feature request to enhancement

This ticket was mentioned in PR #2273 on WordPress/wordpress-develop by konradyoast.

22 months ago

  • Keywords has-patch added; needs-patch removed

#8 @joedolson
21 months ago

  • Owner set to joedolson
  • Status changed from new to accepted

#9 @joedolson
21 months ago

  • Focuses accessibility added

#10 @joedolson
21 months ago

Looking at the PR and the comments on it, I think this is mostly good; but in my opinion the database password field needs to be left as autocomplete="off".

The database password is mostly a one-time use password, and unlikely to be represented in a user's keychain, so 'current-password' is most likely to suggest an invalid password, if it offers anything, and I don't believe 'new-password' would ever offer a valid suggestion, since this is not a password-generating field.

21 months ago

Patch refreshed; database password change removed.

#11 @sabernhardt
21 months ago

43886.2.diff includes the New User page. If no further change is necessary for #52714, both tickets could be closed with the same commit.

This ticket was mentioned in Slack in #accessibility by sabernhardt. View the logs.

20 months ago

This ticket was mentioned in Slack in #accessibility by ryokuhi. View the logs.

20 months ago

#14 @ryokuhi
20 months ago

  • Keywords needs-testing added

This ticket was reviewed today during the Accessibility Team's weekly bug-scrub.
I'm adding the needs-testing label, so that if the latest patch works this can be committed.

20 months ago

Add autocomplete=off to 43886 to resolve 52714.

#15 @sabernhardt
20 months ago

  • Keywords commit added; needs-testing removed

#16 @joedolson
20 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 53111:

Users: Use autocomplete values on user profiles.

Assign appropriate autocomplete values for new and edited user, user email, and password fields.

Props clonemykey, sabernhardt, WraithKenny, bookdude13, konradyoast.
Fixes #43886, #52714.

sabernhardt commented on PR #2273:

19 months ago

changes committed in revision 53111

Note: See TracTickets for help on using tickets.