Need to disable Autocomplete Password in Browser for Confluence

For PCI compliance, I need to disable the storing of passwords in the browsers. Is there a way to configure that?

7 answers

This widget could not be displayed.

Is it possible to modify the login.vm file (https://confluence.atlassian.com/display/DOC/Customising+the+Login+Page) so that the os_password input box contains the attribute autocomplete="off" ?

E.g.

<input type="password" name="os_password" id="os_password" class="password " autocomplete="off"/>

I haven't got access to a confluence instance where I can try this out but it might/should do the trick, though bear in mind that this is probably not valid markup with certain DocTypes so if that is important you may need to use JavaScript to set the attribute.

For good measure, you may want to add the attribute autocapitalize="off" and autocorrect="off" to the os_username field, to control automatic correction or capitalization on iOS devices

E.g.

<input type="text" name="os_username" id="os_username" class="text " data-focus="0" autocapitalize="off" autocorrect="off"/>

Thanks, this pointed me in the right direction. I ended up having to edit the \confluence\template\au\password.vm file and so it said <input type="password" autocomplete="off" name="$!webwork.htmlEncode($parameters.name)" id="$!webwork.htmlEncode($parameters.id)" ##

This widget could not be displayed.

You can do it with a bit of javascript, but it's pretty much a waste of time. Because

  • It's a browser function, NOT a site function
  • You need to code for all browsers
  • You need to code for browser plugins that might autofill
  • It irritates users when you do it, and they often get quite determined to get around it (this one is a personal opinion - I certainly get annoyed and force sites to work with a spot of scripting)
  • It's a doddle for a browser or determined user to bypass

This widget could not be displayed.

It is not a big problem for you to remove all saved passwords on your browsers if you have a step-by-step guide. I found this useful guide to disable Autocomplete Password in Browser which may be helpful for you, too.

This widget could not be displayed.

We also need to do the same in Stash and JIRA, also for PCI compliance so failure is not an option :-)

This widget could not be displayed.

I belive John's answer about editing the .vm is still correct, you can embed something to try to disable autocomplete in the login.

But, browsers are still completely free to ignore it. I'm afraid you might want to have another look at the PCI compliance rules you've got - they can't demand something that simply can't be enforced. My browser regularly overrides it on several sites, and I'd probably do the same if someone inflicted it on Confluence/Jira etc.

This widget could not be displayed.

Thanks Nick. Looking at JIRA I find include/loginform.jsp which contains the password input. Am I correct in assuming that I can change this file and just have to remember to reapply the change after maintenance or upgrades?

I'm still looking for the correct place to make the change in Stash if you can point that out.

Fortunately I am only responsible for getting the servers to pass the audit. Client behavior is out of scope.

This widget could not be displayed.

Yeah, that's the one and the method. I don't know Stash code well enough, sorry. (Still not sure it's in the slightest bit worth doing, as "compliance" doesn't matter where it can be bypassed, it's still an issue, but hey)

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Sep 17, 2018 in Confluence

Why start from scratch? Introducing four new templates for Confluence Cloud

Hi my Community friends!  For those who don't know me, I'm a product marketer on the Confluence Cloud team - nice to meet you! For those of you who do, you know that I've been all up in your Co...

597 views 7 6
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you