Adding The autocomplete Attribute To Forms And Password Fields In Drupal 6

Many modern browsers now come with auto-complete functionality so that users can fill in their details quickly without having to type in their username and password every time they want to log on. This can be turned off by adding the attribute "autocomplete" to the form and password elements and setting its value to 'off'.

Setting the autocomplete attribute to off on password fields (and forms containing password fields) can add an added level of security to your Drupal site. This is especially important as if the computer is stolen it is more likely to contain saved passwords that will allow access to sensitive systems. So turning this feature off might be beneficial for certain systems, especially those with very sensitive information.

To add the autocomplete attribute to the login forms in Drupal 6 you need to intercept two forms. These are user_login_block and user_login. This can be done with a couple of simple hook_form_form-id_alter() functions that just add the needed attribute to the form. As this is Drupal 6, these functions need to go into a module.

/**
 * Implementation of hook_form_alter().
 *
 * Set the autocomplete attribute to off on the user_login_block form.
 */
function MYMODULE_form_user_login_block_alter(&$form, &$form_state) {
  $form['#attributes']['autocomplete'] = 'off';
}

/**
 * Implementation of hook_form_alter().
 *
 * Set the autocomplete attribute to off on the user_login form. 
 */
function MYMODULE_form_user_login_alter(&$form, &$form_state) {
  $form['#attributes']['autocomplete'] = 'off';
}

Because different browsers implement the autocomplete feature in different ways you need to set the autocomplete attribute on both forms and elements. So adding the change to just the login form isn't enough, you also have to add the attribute to the password fields. One way of doing this is to create a hook_form_alter() hook and loop through every element in every form, checking for password fields, but that is a bad thing to do.

There is, however, a much easier way of doing this by creating a theme_password() theme override function. This function is run every time a password field is rendered, and by adding a single line to (add the autocomplete attribute) every password field will then contain it. Add the following code to your template.php file in your theme.

/**
 * Render password input field with autocomplete off.
 */
function MYTHEME_password($element) {
  $size = $element['#size'] ? ' size="'. $element['#size'] .'" ' : '';
  $maxlength = $element['#maxlength'] ? ' maxlength="'. $element['#maxlength'] .'" ' : '';

  // Set all password elements to have the autocomplete attribute set to 'off'
  $element['#attributes']['autocomplete'] = 'off';

  _form_set_class($element, array('form-text'));
  $output = '';
  return theme('form_element', $element, $output);
}

With everything in place you will now find that your users will now have to enter their passwords by hand if they wish to log on.