Fix guide · info · password_field_autocomplete_off

Password field uses autocomplete="off" — outdated guidance

Why it matters

For ~15 years, autocomplete="off" on password fields was considered best practice — the assumption was that letting browsers save passwords made shared-computer scenarios riskier.

That assumption no longer holds:

• Modern password managers are separate from browsers (1Password, Bitwarden, Dashlane) and are not affected by the page-level autocomplete attribute.
• Browser password managers themselves now ignore the attribute on password fields in most cases. Chrome, Firefox, Safari, and Edge all decided that disabling autofill caused more harm (weak passwords, reuse) than it prevented (rare shared-device misuse).
• NIST SP 800-63B §5.1.1.2 explicitly says: "Verifiers SHOULD permit claimants to use 'paste' functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets."
• OWASP ASVS 4.0 V2.1.6 requires that password managers be permitted.

So autocomplete="off" on password fields is now:

• Mostly ignored by browsers anyway.
• Documented as anti-pattern by NIST and OWASP.
• A signal that the team is following old security guidance — worth surfacing because there may be other outdated practices nearby (e.g. mandatory password rotation, character-class requirements, password length caps).

This finding is info severity — not a security issue per se, but worth a 5-minute fix.

How to fix it

Remove autocomplete="off" from password fields and replace with the appropriate explicit value:

<!-- Bad — outdated practice -->
<input type="password" autocomplete="off">

<!-- Good — login -->
<input type="password" autocomplete="current-password">

<!-- Good — registration -->
<input type="password" autocomplete="new-password">

For genuinely sensitive single-use fields (e.g. a "type your password to confirm account deletion" field where you don't want the password manager to autofill the existing password into the wrong action), use autocomplete="new-password" or simply omit the attribute. Don't use autocomplete="off" — browsers ignore it and it signals outdated thinking.

Also worth auditing:

• Password length caps. Modern recommendation: minimum 8, maximum at least 64 (NIST). Capping shorter than 64 frustrates password-manager users with long random passwords.
• Character-class requirements. Modern recommendation: don't require them. Length matters more than complexity.
• Mandatory rotation. Modern recommendation: only rotate on credible compromise, not on a schedule.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.