Two-factor auth selecting focus and suddenly seeing a dropdown of old, worthless 6-digit numbers comes to mind.

This is about more than just password fields, although that is a big one.

I can give you a legitimate, actual use case where I had to develop a workaround: a page where an admin can change the password for a user. Under no circumstances would an autofill be desirable on that page, yet Chrome thinks it knows best.

Forms implementing their own autocompletion logic seem like a pretty compelling case. E.g. for a search input, it makes sense to offer suggestions based on the domain (valid values, popular searches) rather than previous inputs for the same browser.

> I work on a health industry related web app. Our web app is used by health professionals on tablets that are shared between their team members. We have a form within our app that enables our customers (the health professionals) to set up new Clients (their patients).

> Autofill is a Privacy Violation here as it is retaining identity information about Clients when it MUST NOT.

Seems to make perfectly fine sense to me.

It's useful for <input type=password ...> fields that aren't _actually_ passwords. For instance if a UI wants to hide some secret value and then have a click-to-reveal button. autocomplete=off makes sense in these cases because otherwise the browser tries to show worthless autocomplete dropdowns and if there's any form on the page then submitting it will also prompt you to save it in the autocomplete database. Which is also annoying (and worthless).

When you're trying to deploy your app to a U.S. Department of Defense environment. This includes things like the Veterans Affairs network of hospitals, too. It's a requirement that your web-app has autocomplete disabled (I don't have the DISA STIG ID# off hand...).

I was faced with this dilemma a few years ago. IIRC, the workaround was sketchy as hell. It was something like creating a password input field with the visibility set to none (and then chrome would autofill it, but it wouldn't be visible), and then the user enters their password into a regular text box, but you style the text box with CSS so that it appears as all discs. ~It was something like that, don't recall exactly.

This is one of my pet peeves. Browsers used to be called User Agents. But they've become increasingly user hostile. I want to be able to tell my browser what to remember. Not some random manager/developer who thinks it's insecure for me to have a form field remember my username.

This is one of the areas where browsers could really add some value. Make it easier to decide what to (not) remember. Make it easier to view and edit what's remembered. This is all a tedious pain at the moment, for no good reason I can see.

Autofill many times fill data in wrong fields, and it break UI style too.

I have an app at work that has a Search box. Used to accept regex patterns for selecting a host by name or description on the inventory list below. When clicking on that search box, it pops up a list of other search terms that I've entered on other web sites, which has absolutely nothing to do with this app. And when in a zoom meeting, I really don't want others to see my previously typed-in searches.

At least this is one of the top complaints about my app that I get from the customer service folks that use it. I ended up somewhat fixing this by renaming the field, but sometimes it will still pop in something strange -- is Chrome picking up the word "Search" that appears as part of the user facing page content, even if the field ID is different?

I take it you've never seen Chrome's built-in autofill conflict with an extension that the user installed on purpose?

hell yes. But even worse are customers that want exactly this for "security reasons".

edit: on login pages, beside those are some legitimate usecases.

The linked issue mentions one -- data entry at a medical clinic where new users are being signed up.

the input field to a chatroom, https://i.imgur.com/jhZj8Ur.png

>I can imagine legitimate hypothetical use cases for it. I've just never seen a legitimate actual use case.

I find it somewhat annoying that when I fill out my timecard at the end of the day autocomplete is on the hours field. I never want it to pop up my previous hours worked, that's annoying, I only want to enter the hours I worked today.

I use LastPass with over 600 passwords and have never had this issue...

> I don't want my password fields autocompleting; that sounds like an absolute usability nightmare.

Why? The usability is really good. This feature is invaluable if you use unique random passwords for every web site. Security has to be painless in order to work. If it's not, people will go back to using the same weak password for every site.

Letting web developers tell the browser what fields it should autofill is a fine idea. Unfortunately, they decided to use this power to turn off people's password managers for bullshit "security reasons". This is why we can't have nice things.

I don't think that's a good thing. Perhaps it's better than the alternative (which is that web developers abuse the hell out of the feature), but there's been plenty of cases where autocomplete has annoyed the hell out of me.

For example, I've accidentally reset multiple system passwords on a management interface where I could set the passwords/keys for several components when Chrome helpfully started autocompleting fields.

I'd much rather see a Firefox-style nag screen that notifies the user that the application in question has disabled their ability to autocomplete. If dumb developers disable autocomplete because of backwards "security" policies, showing a message saying "this website has told Chrome to disable autocomplete. If you wish to enable it, contact the website owners" or similar would be much more preferable to me. Maybe even leave the autocomplete behaviour in, but then put it behind a setting somewhere that's off by default.

All the good use cases for autocomplete=off have been ruined by all the terrible web developers and corporate managers out there.

Another thing browsers should not allow the page to override.

There's an extension called "Don't fuck with paste" which disables intercepting paste, not sure how. You have to remember to add sites that you do want to intercept paste (mostly rich text apps) to the whitelist.

And copy. And right click. And text selection.