The following is a possible new chapter to be added to Refactoring HTML in the accessibility section. I’m throwing this in fairly late in the editing process, so I’d appreciate any thoughts, comments, or criticisms you might have about this. In particular, I’d appreciate any cases you can think of where autocomplete is not appropriate.

For what it’s worth, I’ve pretty well convinced myself that usernames and passwords are not such a case. That is, autocompleting usernames and passwords definitely increases accessibility and usually increases security. I don’t intend to explain why it improves security in this chapter, but if anyone wants to disagree with that, I’ll explain why in the comments.



Remove autocomplete=”off” attributes where appropriate.

<form action="/login" method="post" autocomplete="off"> <p><label>E-Mail Address: <input type="text" name="e1" autocomplete="off"/> </label></p> <p><label>Password: <input type="password" name="p1" /> </label></p> <input type="submit" title="Login" autocomplete="off"/> </form>

<form action="/login" method="post" autocomplete="off"> <p><label>E-Mail Address: <input type="text" name="e1" /> </label></p> <p><label>Password: <input type="password" name="p1" /> </label></p> <input type="submit" title="Register" /> </form>

Motivation

Autocompletion helps users avoid wasting time retyping repetitive content. However, it’s especially helpful to physically impaired users (including the very young and very old) who have much greater difficulty typing than average.

Autocompletion also improves security in login forms by avoiding the need for users to write down passwords, or reuse the same password from site to site. Login forms that prevent users from using autocomplete are far more likely to be compromised by out-of-band mechanisms such a shoulder surfing.

Potential Trade-offs

Many webmasters believe that autocompleting logins is a security risk. It may indeed be so on a shared computer, such as one in a public library. However only the end user can determine whether or not their computer is shared. Users are always free not to remember a username or password, or to tell the browser to forget stored information, if they use a shared computer. That said, I do recommend that lab managers configure their computers to forget all stored information (not just forms but cookies, bookmarks, history, and other potentially private data) between browser restarts.

Mechanics

Search your HTML pages for autocomplete=”off”. This can appear on the form element or on individual input elements. When you find it, consider whether this is really appropriate.

Some forms really do expect different input each time. For instance, the main query field in a search engine likely doesnâ€™t see a lot of repeated content from the same user, or at least not enough to make autocomplete helpful. Most users search for something different every time they visit. These forms may legitimately use autocomplete=”off”. Therefore you should not perform a blanket search and replace that removes all autocomplete=”off” attributes.

However, in the vast majority of cases, autocomplete="off" merely inconveniences users for little or no good reason. if you’re in doubt, remove it. The user never has to use autocomplete, but they should not be prevented from doing so by the server’s whim.