How password manager autofill works — and why it fails on some sites

Autofill is the feature most users interact with most often. It is also the feature that fails in ways most users don't understand — no warning, no explanation, credentials simply don't appear in the field. The instinct is to assume the password manager has a bug. Sometimes it does. More often, the failure reflects a real technical tension between how password managers detect login forms and how modern web applications are built.

The mechanism is not a simple field-matching lookup. A browser extension has to detect that a page contains a login form, identify which fields are the username and password fields, determine which saved credential is the correct one for that URL, fill both fields, and avoid triggering the site's own validation logic in ways that break the login flow. Each step has failure modes.

The gap between password managers varies significantly here. For conventional HTML forms with standard input fields, all major managers work reliably. The differences emerge on single-page applications, custom form components, two-step login flows where username and password appear on separate pages, and forms embedded in iframes.

The most common assumption is that autofill failure means the credential isn't there or isn't matched to the right URL. Usually it means the extension couldn't detect the form. Modern web applications built with React, Vue, or Angular frequently use JavaScript-rendered form components that don't use standard HTML input elements. A password manager extension that relies on DOM structure to detect forms will miss these. Extensions that use more heuristic detection — looking at visual context, label text, and input behavior — handle them better.

A second assumption is that saving a credential from the browser's autofill prompt guarantees it will autofill correctly next time. The saving mechanism and the autofill mechanism are separate. A credential can be saved successfully while the extension fails to detect the form on subsequent visits — for example if the site was updated to use a JavaScript-rendered form between sessions.

A third assumption is that all browsers handle password manager autofill the same way. Browser security policies, particularly around autofill on iframes and cross-origin forms, vary. Safari has stricter autofill policies than Chrome on some form types. Extensions that work perfectly in Chrome may have reduced functionality in Safari or Firefox due to extension API differences.

The autofill detection hierarchy most extensions use: standard HTML form fields with type='password' are the most reliably detected. Fields identified by label text or aria attributes are reliably detected. JavaScript-rendered fields that replace standard inputs are less reliably detected and represent the primary source of autofill failures. Two-step logins where username and password appear on separate pages require additional logic that not all extensions handle identically.

Dashlane's autofill is consistently rated most reliable in independent reviews specifically because its detection heuristics handle more non-standard form implementations. Bitwarden's extension is open-source and works well on standard forms; its most commonly reported failure mode is silent non-autofill on SPAs without warning. NordPass and Proton Pass, as newer products, have more edge case failures than established alternatives.

When autofill fails silently, the fallback is to use the extension popup to copy the credential manually. This bypasses autofill detection entirely. It is slower but works regardless of form implementation. For regularly visited sites where autofill reliably fails, manually editing the URL in the credential record to exactly match the form's actual origin often resolves the matching problem.

Autofill reliability is a moving target. Sites update their login implementations; extension developers update their detection logic. A site that worked reliably last month may fail this month after a frontend update. This guide describes general mechanisms; specific site failures may require consulting the extension's community forum or issue tracker.

This guide covers browser extension autofill. Mobile autofill — iOS AutoFill Provider and Android Accessibility Service — operates through different mechanisms with different failure modes. The mobile autofill experience is generally more reliable on password fields but less reliable on custom input components than browser extensions.