Prevent password caching

Maybe try the combination of both of these:

<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">

<%
 ' NO CACHE
Response.Expires = -1000
%>

Otherwise it is in the hands of the user:

http://itinfo.mit.edu/article.php?id=6707

You can also add this in your form:

<FORM AUTOCOMPLETE = "off">

<INPUT TYPE = "password" NAME = "txtPassword" AUTOCOMPLETE = "off">

Neither seem to make a difference.

The particular problem is with FireFox; if FireFox smells a password field, when you click submit, it asks if you want to save the password.  If the user does this only once, the next time you access that page, the username and password fields are automatically populated with the password.  
If this happens on an 'Account Details' page and the user then hits 'save', the user is saved with the wrong, prepopulated username and password.

Much hilarity ensues, as users complain that they can't login because their usernames and/or passwords have been changed by someone who just wanted to update a telephone number...

Any other ideas...

J.

What happens if you do this:

<input type="password" value=" ">

Just an idea, since you would be putting a space in by defualt?

or just <...... value=""> with no space?

Well the concept that anyone can edit a single form which includes telephone number and password of a user is wrong. You should have seperate forms for that, one in which the user can update his own password, and another in which other data can be changed.

Furthermore, it seems strange that you apparently do not check if the person who is logged in is the same person who updates the form.

Incidentally autocomplete=off support is being hotly debated by the firefox developers.  

Pros n cons
-  Websites should not dictate how a user works with their browser
-  Storing of passwords is a security concern to financial institutions

Ultimately sybe brings up the best point here, most sites (and applications/Operating Systems for that matter) recognize password mamagement as being
different from profile/account management

Hey, check the case in your HTML, tags and attributes should be lowercase.

If this is XHTML, your browser is gonna start ignoring all sorts of stuff on you.

>> Well the concept that anyone can edit a single form which includes telephone number and password of a user is wrong.

Agreed, but not something I can change -- it's in the FS: "User details page, where account, password and personal details can be changed by an administrator".  Gotta love business people and their little rules.  Still, separating the account and personal details isn't going to fix the issue; it's still going to update.

I'm going to have to add a GUID to my field names, aren't I...

J.

Another comment is that autocomplete for passwords is honored only for encrypted forms, so you might want to consider moving a portion of this into SSL.

Cheers again,
-Bill

>>Maybe not, why not change just the password fields in your edit form,
>>the problem maybe your login page uses the same field names as the edit page.

If this is the case you may also look at generating a random field name each time the page loads, then the likelyhood of the password name field may being the same twice is significantly reduced?

Thats what the poster suggested, and no, don't use random ever unless
you understand it.    The GUID is a better approach, but its still overkill
for this scenario.

Cheers,
-Bill

One last try:

With further research I discovered the autocomplete=off works:

For IE in both the <form> and individual <input> tags.

For Firefox only in the <form> tag

You may want to try to test this ...

I couldn't get autocomplete to function consistently enough so I went with a GUID in the end; it was clean enough to code and a little more 'universal'.  

Thanks to all.

J.