Skip to main content

Don't let your browser autofill your passwords — here's why

Laptop displaying text 'Enter password' and 'Log in'.
(Image credit: mangpor2004/Shutterstock)

You should turn off autofill in your password manager, and stop using some browser password managers altogether, argues a Czech security researcher.

"Most password managers have the autofill feature enabled by default, even though it reduces the security of the stored password," said Marek Toth, a penetration tester at Avast, in a recent blog post.

Autofilling is when your password manager fills in the username and password fields in a website's login page with your saved credentials without you actively prompting the password manager. 

The characters pasted into the field can then be "read" by scripts present in the login page — such as might be preset in an online ad that has nothing to do with the page itself — and those scripts will be able to copy and send your username and password anywhere. 

Of course, those scripts could also read your username and password when you actively fill in the fields when logging in, but at least you have control over when that happens. 

Autofilling tries to fill those fields all the time. Malicious scripts can and sometimes do create invisible login fields that you can't see to catch those credentials without your knowledge, as three researchers discovered in 2017.

Toth found that most major web browsers, including Chrome, Firefox, Edge, Internet Explorer, Opera and Vivaldi automatically filled in usernames and passwords by default, as did the stand-alone password managers LastPass, Dashlane and Sticky Password

The Safari and Brave browsers did not autofill passwords, Toth said, nor did the 1Password, RoboForm and Bitwarden password managers. Another password manager, Keeper, will autofill passwords on a site-by-site basis with user permission.

"By activating autofill by default, our users perceive the value of a password manager sooner," Dashlane Chief Technology Officer Frédéric Rivain told us. "This ultimately increases their chances to continue using a password manager and thus become more and more secure."

"The autofill also provides an anti-phishing protection as Dashlane only suggests users' information on the specific website linked to their password," Rivain added. "The only vulnerability identified is when an attacker has modified the website you're logging into, in which case they can steal your password whether or not you have autofill enabled."

"We are constantly evaluating ways to improve the autofill flow to protect our users while still offering a convenient login experience," said Dan DeMichele, vice president of product management at LastPass. "we always recommend users only visit sites and click on links that they trust to prevent against potential attempts to steal login information."

"If the user wants to be in control of the credential filling, this option is available as an extension preference setting and, for Business users, as a policy," DeMichele added. "Delivering a secure service for our users remains our top priority."

We've got instructions below on how to disable autofill in Dashlane, LastPass and the browsers in which it's possible.

See what happens for yourself

You can see what Toth is talking about by using his online demonstration. Enter a fake username and password into the login fields on this page, and let your browser or password manager save the credentials:

https://websecurity.dev/password-managers/login/

Then go in the same browser to this page. You may have to click somewhere on the page or click on the "Allow Notifications" box for this work:

https://websecurity.dev/password-managers/autofill/

If your browser or password manager automatically fills in passwords, you'll see the username and password you typed in displayed on the page. 

Username and password displayed on a website demonstrating the risks of letting password managers autofill passwords.

(Image credit: Marek Toth/Tom's Guide)

That's a major security risk because not only you can see those credentials, but a malicious script embedded in the web page might be able to as well. 

Modern websites are full of third-party tracking scripts, embedded frames and dynamic ads that often have nothing to do with the company running the website, and any one of those elements might be able to steal your username and password.

This isn't a new discovery, to be sure. We found several older blog posts by different researchers advocating against letting browsers and password managers autofill passwords. Here's a demo, related to the 2017 study mentioned earlier, that tests whether browsers are autofilling:

https://senglehardt.com/demo/no_boundaries/loginmanager/index.html

And here are the results:

A browser displaying a username and password as a demonstration of the risks of letting browsers autofill saved passwords.

(Image credit: Steven Englehardt/Tom's Guide)

How to disable autofilling

So how do you get around this? 

Well, first of all, stop using browsers to save your passwords, or at least sensitive passwords such as those for social media, email and anything that involves credit cards or financial transactions, including banking and shopping sites. It's already too easy to steal saved passwords from web browsers in other ways.

You can't even disable autofilling in many Chromium-based browsers, including Chrome, Opera and Vivaldi. Brave is an exception because it doesn't autofill to begin with, and Edge has a special Microsoft-only setting. 

How to disable autofilling in Firefox

1. Open a new tab.

2. Click the gear icon at the top right of the page.

3. Scroll down to and click Manage more settings.

4. Click Privacy and Security in the left-hand navigation bar.

5. Scroll down to Logins and Passwords and deselect "Autofill logins and password".

How to disable autofilling in Microsoft Edge

Microsoft gets around Chromium's limitations by adding a Windows security check if you disable autofill. You'll have to input your Windows user password if you want the browser to fill in your passwords.

1. Click the three horizontal dots at the top right of the browser window.

2. Scroll down to and click Settings.

3. In the Personal profile window that appears, select Passwords.

4. Under "Offer to save passwords/Sign in", select "With device password."

5. Enter your Windows user password.

How to disable autofilling in LastPass

Instead of using a browser to save your passwords, use a password manager. LastPass is our top choice among best password managers, but it's one of the main offenders in autofilling. 

The option is turned on by default, even though if you turn autofilling off and then turn it back on again, you get a big fat warning pop-up telling you it's a security risk. 

A warning pop-up advising LastPass users of the risks of letting the password manager autofill passwords.

(Image credit: LastPass)

Here's how to turn off autofilling in LastPass:

1. Click the LastPass extension icon in your web browser.

2. Scroll down to and click Account Options.

3. Click Extension Preferences.

4. Under General, deselect "Automatically fill login information".

LastPass will still work fine after you make this change. To log into websites for which LastPass has saved the credentials, you'll just have to click the LastPass icon that displays in each login form field.

How to disable autofilling in Dashlane

The other big password manager that autofills by default is Dashlane. You'll have to disable autofill on a site-by-site basis.

1. Open the Dashlane web interface, mobile app or desktop application.

2. Select the credential you want to edit.

3. Under Autofill options, deselect "Automatically log me into this website".

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.