Fix guide · low · password_field_no_autocomplete
Password input has no autocomplete attribute
An <input type="password"> has no autocomplete attribute. Password managers can't reliably identify the field, leading to manual password entry (typo-prone, shoulder-surfable) or users disabling autofill for your site entirely.
Why it matters
Password managers (1Password, Bitwarden, LastPass, Apple Keychain, Chrome's built-in) decide whether to autofill a field based on a combination of signals: type="password", surrounding form context, field name, label proximity, AND the explicit autocomplete attribute. Without that attribute, the manager falls back to heuristics that are less reliable — many users see their password manager fail to recognise the form and end up typing manually.
Manual password entry is a security problem:
- Typos lead to repeated attempts that look like brute force to your backend (and to monitoring systems).
- Shoulder-surfing — typed passwords are visible to anyone watching the screen.
- Users pick weaker passwords when they have to remember them rather than have them autofilled.
- Reuse goes up — a password the user can type from memory is one they're using on 30 other sites.
The fix is two extra characters of HTML. WHATWG and OWASP ASVS 4.0 both recommend explicit autocomplete tokens:
autocomplete="current-password"— login forms. Tells the manager "this is the existing password; offer to autofill."autocomplete="new-password"— registration and password-change forms. Tells the manager "this is a new password; offer to generate one."
Modern frameworks default to including these (React Hook Form's password input, etc.). If yours don't, it's worth setting them everywhere.
How to fix it
<!-- Login form -->
<input type="password" name="password" autocomplete="current-password" required>
<!-- Registration form -->
<input type="password" name="password" autocomplete="new-password" required>
<!-- Change password form — both fields use new-password -->
<input type="password" name="oldPassword" autocomplete="current-password" required>
<input type="password" name="newPassword" autocomplete="new-password" required>
<input type="password" name="confirmPassword" autocomplete="new-password" required>Also useful — pair with autocomplete on the email/username field:
<input type="email" name="email" autocomplete="username" required>
<input type="password" name="password" autocomplete="current-password" required>The autocomplete="username" tells the manager which field to fill the saved username into — without it, some managers fill the wrong field on dual-input forms.
Reference: WHATWG autocomplete spec lists the full token set; current-password and new-password are the relevant two.
Did vibecheck flag this on your app?
If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.
Run another inspection