Form fields have correct autocomplete attributes

Why it matters

Missing or incorrect autocomplete attributes force users to type information their browser or password manager already knows. Password managers rely on both the name attribute and autocomplete to distinguish new-password from current-password — without this signal, they may autofill the wrong credential, prefill nothing, or prompt users to save an incorrect entry. WCAG 2.2 SC 1.3.5 (Identify Input Purpose) requires programmatic purpose identification for common personal data fields. Autofill friction is disproportionately punishing on mobile, where typing is slower and error-prone.

Remediation

Add autocomplete and name attributes to every personal-data input. Use new-password on signup and current-password on login — this is the signal password managers use to decide whether to offer to save or fill a credential:

<Input
  type="email"
  name="email"
  autoComplete="email"
  placeholder="Work email"
/>
<Input
  type="password"
  name="password"
  autoComplete="new-password"
  placeholder="Create password"
/>

Never set autocomplete="off" on password fields — it breaks password manager integration across every browser and forces users to type credentials manually on every visit.

Detection

ID: marketing-conversion.form-optimization.autofill-support
Severity: low
What to look for: Examine form input elements in signup, login, and conversion forms. Check whether autocomplete attributes are present and use correct values. Standard values: email for email fields, current-password for login password, new-password for signup password, given-name/family-name for name fields, organization for company name, tel for phone. Also check that inputs have correct name attributes that match field purpose — browsers use both name and autocomplete to infer autofill intent.
Pass criteria: Count all form fields that should have autocomplete attributes (email, password, name, address). Email fields have autocomplete="email", password fields on signup forms have autocomplete="new-password", password fields on login forms have autocomplete="current-password". At least 80% of applicable fields must have correct autocomplete values. Report: "X of Y applicable fields have correct autocomplete attributes."
Fail criteria: Primary form fields (email and password at minimum) are missing autocomplete attributes entirely.
Skip (N/A) when: No forms found, or forms use only a single input field with obvious purpose.
Detail on fail: "Signup form email input has no autocomplete attribute. Password field uses autocomplete='off' which prevents browser and password manager autofill.".
Remediation: autocomplete attributes let browsers and password managers fill forms for returning users. For a signup form:
```
<Input
  type="email"
  name="email"
  autoComplete="email"
  placeholder="Work email"
/>
<Input
  type="password"
  name="password"
  autoComplete="new-password"
  placeholder="Create password"
/>
```
Never use autocomplete="off" on password fields — this breaks password manager integration and forces users to type passwords manually.

Why it matters

Remediation

<Input
  type="email"
  name="email"
  autoComplete="email"
  placeholder="Work email"
/>
<Input
  type="password"
  name="password"
  autoComplete="new-password"
  placeholder="Create password"
/>

Never set autocomplete="off" on password fields — it breaks password manager integration across every browser and forces users to type credentials manually on every visit.

Detection

ID: marketing-conversion.form-optimization.autofill-support
Severity: low
What to look for: Examine form input elements in signup, login, and conversion forms. Check whether autocomplete attributes are present and use correct values. Standard values: email for email fields, current-password for login password, new-password for signup password, given-name/family-name for name fields, organization for company name, tel for phone. Also check that inputs have correct name attributes that match field purpose — browsers use both name and autocomplete to infer autofill intent.
Pass criteria: Count all form fields that should have autocomplete attributes (email, password, name, address). Email fields have autocomplete="email", password fields on signup forms have autocomplete="new-password", password fields on login forms have autocomplete="current-password". At least 80% of applicable fields must have correct autocomplete values. Report: "X of Y applicable fields have correct autocomplete attributes."
Fail criteria: Primary form fields (email and password at minimum) are missing autocomplete attributes entirely.
Skip (N/A) when: No forms found, or forms use only a single input field with obvious purpose.
Detail on fail: "Signup form email input has no autocomplete attribute. Password field uses autocomplete='off' which prevents browser and password manager autofill.".
Remediation: autocomplete attributes let browsers and password managers fill forms for returning users. For a signup form:
```
<Input
  type="email"
  name="email"
  autoComplete="email"
  placeholder="Work email"
/>
<Input
  type="password"
  name="password"
  autoComplete="new-password"
  placeholder="Create password"
/>
```
Never use autocomplete="off" on password fields — this breaks password manager integration and forces users to type passwords manually.

Form fields have correct autocomplete attributes

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Form fields have correct autocomplete attributes

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History