Here is the script in action:
How can you avoid this issue?
From a development point of view the AutoComplete attribute should be set to “off”. This can be done at the form or input level. This looks something like this at the FORM level:
<FORM autocomplete = “off”>
and like this at the INPUT level:
<INPUT type=”password” autocomplete=”off”>
From a testing perspective it is important to make sure you have AutoComplete enabled in the browser so that you can visually catch the risk if it occurs:
Internet Explorer 6 (Tools > Internet Options > Content tab > AutoComplete button):
FireFox (Tools > Options > Privacy > Passwords):
Look for AutoComplete in INPUT tags:
Look for AutoComplete in FORM tags:
To protect yourself as a user you should UNCHECK the “form” checkbox in IE6 or in FireFox you should UNCHECK the “Remember Passwords” checkbox or use the Master Password feature (which will prompt a master password to be entered before the autocomplete occurs).