Need to disable Autocomplete Password in Browser for Confluence

For PCI compliance, I need to disable the storing of passwords in the browsers. Is there a way to configure that?

7 answers

Is it possible to modify the login.vm file (https://confluence.atlassian.com/display/DOC/Customising+the+Login+Page) so that the os_password input box contains the attribute autocomplete="off" ?

E.g.

<input type="password" name="os_password" id="os_password" class="password " autocomplete="off"/>

I haven't got access to a confluence instance where I can try this out but it might/should do the trick, though bear in mind that this is probably not valid markup with certain DocTypes so if that is important you may need to use JavaScript to set the attribute.

For good measure, you may want to add the attribute autocapitalize="off" and autocorrect="off" to the os_username field, to control automatic correction or capitalization on iOS devices

E.g.

<input type="text" name="os_username" id="os_username" class="text " data-focus="0" autocapitalize="off" autocorrect="off"/>

Thanks, this pointed me in the right direction. I ended up having to edit the \confluence\template\au\password.vm file and so it said <input type="password" autocomplete="off" name="$!webwork.htmlEncode($parameters.name)" id="$!webwork.htmlEncode($parameters.id)" ##

0 vote

You can do it with a bit of javascript, but it's pretty much a waste of time. Because

  • It's a browser function, NOT a site function
  • You need to code for all browsers
  • You need to code for browser plugins that might autofill
  • It irritates users when you do it, and they often get quite determined to get around it (this one is a personal opinion - I certainly get annoyed and force sites to work with a spot of scripting)
  • It's a doddle for a browser or determined user to bypass

It is not a big problem for you to remove all saved passwords on your browsers if you have a step-by-step guide. I found this useful guide to disable Autocomplete Password in Browser which may be helpful for you, too.

We also need to do the same in Stash and JIRA, also for PCI compliance so failure is not an option :-)

0 vote

I belive John's answer about editing the .vm is still correct, you can embed something to try to disable autocomplete in the login.

But, browsers are still completely free to ignore it. I'm afraid you might want to have another look at the PCI compliance rules you've got - they can't demand something that simply can't be enforced. My browser regularly overrides it on several sites, and I'd probably do the same if someone inflicted it on Confluence/Jira etc.

Thanks Nick. Looking at JIRA I find include/loginform.jsp which contains the password input. Am I correct in assuming that I can change this file and just have to remember to reapply the change after maintenance or upgrades?

I'm still looking for the correct place to make the change in Stash if you can point that out.

Fortunately I am only responsible for getting the servers to pass the audit. Client behavior is out of scope.

0 vote

Yeah, that's the one and the method. I don't know Stash code well enough, sorry. (Still not sure it's in the slightest bit worth doing, as "compliance" doesn't matter where it can be bypassed, it's still an issue, but hey)

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Jul 10, 2018 in Confluence

We want to see the templates you've created in Confluence!

Hi Community, Jessica here from the Confluence Product Marketing team!  July’s community challenge is all about sharing pictures  — and as an extension of our first post on what ...

780 views 23 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you