Break things, write reports

Shitty Pentest Findings - Password Autocomplete Enabled

If you had a pentest and it had a finding of 'Password autocomplete enabled', it was probably a shitty pentest

Tags — | shitty pentest | Categories: — Pentesting |
Posted at — Aug 6, 2019

Tldr

autocomplete=off - Browsers have ignored this field since 2014, because it’s a stupid thing to include in a threat model.

Less tl;dr

If you don’t know what I mean, check out https://hackerone.com/reports/7954 for an example.

Notably, this has been ignored since 2014 https://chromereleases.googleblog.com/2014/04/stable-channel-update.html - which seems to be ignored in a lot of bug bounty submissions.