在政府医疗机构工作的乐趣之一是必须处理所有围绕PHI(受保护的健康信息)的偏执。不要误解我的意思,我支持尽一切可能保护人们的个人信息(健康状况、财务状况、上网习惯等),但有时人们会有点太神经质了。

举个例子:我们的一位州客户最近发现浏览器提供了保存密码的方便功能。我们都知道它已经存在了一段时间,完全是可选的,由最终用户决定是否使用它是一个明智的决定。然而,目前有一点骚动,我们被要求找到一种方法来禁用我们网站的功能。

问:网站有没有办法告诉浏览器不要提供记住密码的功能?我从事网络开发已经很长时间了,但我不知道我以前遇到过这种情况。

任何帮助都是感激的。


当前回答

autocomplete="off"不能在Firefox 31中禁用密码管理器,在一些早期版本中也很可能不能。

查看mozilla关于此问题的讨论: https://bugzilla.mozilla.org/show_bug.cgi?id=956906

我们希望使用第二个密码字段输入由令牌生成的一次性密码。现在我们使用文本输入而不是密码输入。:-(

其他回答

Since most of the autocomplete suggestions, including the accepted answer, don't work in today's web browsers (i.e. web browser password managers ignore autocomplete), a more novel solution is to swap between password and text types and make the background color match the text color when the field is a plain text field, which continues to hide the password while being a real password field when the user (or a program like KeePass) is entering a password. Browsers don't ask to save passwords that are stored in plain text fields.

The advantage of this approach is that it allows for progressive enhancement and therefore doesn't require Javascript for a field to function as a normal password field (you could also start with a plain text field instead and apply the same approach but that's not really HIPAA PHI/PII-compliant). Nor does this approach depend on hidden forms/fields which might not necessarily be sent to the server (because they are hidden) and some of those tricks also don't work either in several modern browsers.

jQuery插件:

https://github.com/cubiclesoft/php-flexforms-modules/blob/master/password-manager/jquery.stoppasswordmanager.js

相关源代码来自上述链接:

(function($) {
$.fn.StopPasswordManager = function() {
    return this.each(function() {
        var $this = $(this);

        $this.addClass('no-print');
        $this.attr('data-background-color', $this.css('background-color'));
        $this.css('background-color', $this.css('color'));
        $this.attr('type', 'text');
        $this.attr('autocomplete', 'off');

        $this.focus(function() {
            $this.attr('type', 'password');
            $this.css('background-color', $this.attr('data-background-color'));
        });

        $this.blur(function() {
            $this.css('background-color', $this.css('color'));
            $this.attr('type', 'text');
            $this[0].selectionStart = $this[0].selectionEnd;
        });

        $this.on('keydown', function(e) {
            if (e.keyCode == 13)
            {
                $this.css('background-color', $this.css('color'));
                $this.attr('type', 'text');
                $this[0].selectionStart = $this[0].selectionEnd;
            }
        });
    });
}
}(jQuery));

演示:

https://barebonescms.com/demos/admin_pack/admin.php

点击菜单中的“添加条目”,然后滚动到页面底部的“模块:停止密码管理器”。

免责声明:虽然这种方法适用于视力正常的人,但屏幕阅读器软件可能存在问题。例如,屏幕阅读器可能会大声读出用户的密码,因为它看到的是纯文本字段。使用上述插件还可能产生其他不可预见的后果。改变内置的web浏览器功能应该通过测试各种各样的条件和边缘情况来进行。

因为autocomplete="off"对密码字段不起作用,所以必须依赖javascript。这里有一个简单的解决方案,基于这里找到的答案。

添加属性data-password-autocomplete="off"到你的密码字段:

<input type="password" data-password-autocomplete="off">

包括以下JS:

$(function(){
    $('[data-password-autocomplete="off"]').each(function() {
        $(this).prop('type', 'text');
        $('<input type="password"/>').hide().insertBefore(this);
        $(this).focus(function() {
            $(this).prop('type', 'password');
        });
    });     
});

这个解决方案适用于Chrome和FF。

就像人们意识到的那样——“自动完成”属性在大多数时候都是有效的,但高级用户可以使用bookmarklet绕过它。

使用浏览器保存密码实际上可以增加对键盘记录的保护,所以最安全的选择可能是将密码保存在浏览器中,但使用主密码保护它们(至少在Firefox中是这样)。

我周围有个工作,可能会有帮助。

你可以自定义字体。所以,做一个自定义字体,所有的字符为点/圆/星号为例。使用它作为你网站的自定义字体。检查如何做到这一点在inkscape:如何使自己的字体

然后在你的登录表单上使用:

<form autocomplete='off'  ...>
   <input type="text" name="email" ...>
   <input type="text" name="password" class="password" autocomplete='off' ...>
   <input type=submit>
</form>

然后添加css:

@font-face {
    font-family: 'myCustomfont';
    src: url('myCustomfont.eot');
    src: url('myCustomfont?#iefix') format('embedded-opentype'),
         url('myCustomfont.woff') format('woff'),
         url('myCustomfont.ttf') format('truetype'),
         url('myCustomfont.svg#myCustomfont') format('svg');
    font-weight: normal;
    font-style: normal;

}
.password {
  font-family:'myCustomfont';
}

很好的跨浏览器兼容性。我尝试过IE6+、FF、Safari和Chrome浏览器。只要确保你转换的oet字体不会被损坏。希望有帮助?

If you do not want to trust the autocomplete flag, you can make sure that the user types in the box using the onchange event. The code below is a simple HTML form. The hidden form element password_edited starts out set to 0. When the value of password is changed, the JavaScript at the top (pw_edited function) changes the value to 1. When the button is pressed, it checks the valueenter code here before submitting the form. That way, even if the browser ignores you and autocompletes the field, the user cannot pass the login page without typing in the password field. Also, make sure to blank the password field when focus is set. Otherwise, you can add a character at the end, then go back and remove it to trick the system. I recommend adding the autocomplete="off" to password in addition, but this example shows how the backup code works.

<html>
  <head>
    <script>
      function pw_edited() {
        document.this_form.password_edited.value = 1;
      }
      function pw_blank() {
        document.this_form.password.value = "";
      }
      function submitf() {
        if(document.this_form.password_edited.value < 1) {
          alert("Please Enter Your Password!");
        }
        else {
         document.this_form.submit();
        }
      }
    </script>
  </head>
  <body>
    <form name="this_form" method="post" action="../../cgi-bin/yourscript.cgi?login">
      <div style="padding-left:25px;">
        <p>
          <label>User:</label>
          <input name="user_name" type="text" class="input" value="" size="30" maxlength="60">
        </p>
        <p>
          <label>Password:</label>
          <input name="password" type="password" class="input" size="20" value="" maxlength="50" onfocus="pw_blank();" onchange="pw_edited();">
        </p>
        <p>
          <span id="error_msg"></span>
        </p>
        <p>
          <input type="hidden" name="password_edited" value="0">
          <input name="submitform" type="button" class="button" value="Login" onclick="return submitf();">
        </p>
      </div>
    </form>
  </body>
</html>