Most recent browsers have features that will save password field content entered by users and then automatically complete password entry the next time the field are encountered. This feature is enabled by default and could leak password since it is stored on the hard drive of the user. The risk of this issue is greatly increased if users are accessing the application from a shared environment. Recommendations include setting autocomplete to "off" on all your password fields.

Please Note: Recent versions of most browsers, as noted below, now ignore the autocomplete="off" attribute for password fields in html forms. Users are allowed to decide the password policy at their own discretion using the password manager. Although setting is ineffective on these versions of browsers, it would continue to protect website users of earlier versions of these and other browsers that support this attribute.

Browsers NOT Supporting autocomplete="off":

<ol><li>Internet Explorer version 11 or above</li>
<li>Firefox version 30 or above</li>

<li>Chrome version 34 or above</li>
<li>For other browsers, please refer to vendor specific documentation</li>
</ol>

We are requesting the ability to disable autocomplete for earlier browser versions by being able set autocomplete="off" on the /login and /loginError page password fields based on a security configuration on Jenkins.