Remove Password Autocomplete in credential dialog #13
Comments
|
I think users are free to use autocomplete. If a company wants to use Lyo in a PCI compliant system, we can have a separate discussion with them (but I believe they will have 100% own GUI). XSS (and CSRF) protection must be enabled on the website anyway. If the attacker got access to the browser and can visit any page and read its DOM, I think it's game over (use 2FA to mitigate that). I am personally mad at all people who use this attribute and have https://chrome.google.com/webstore/detail/force-autocomplete/piechbhjioolbecaioglhamjjjkmbchj?hl=en-US installed to render such attempts to disable autocomplete void. And no, I am not going to "retype" my email twice w/o autocomplete because some bank thinks I can make a typo there. Ditto for _blank attributes that do not allow me control over the left/middle button use https://chrome.google.com/webstore/detail/death-to-blank/gneobebnilffgkejpfhlgkmpkipgbcno?hl=en-US and pages that try to disable paste on email/password fields (https://chrome.google.com/webstore/detail/dont-fuck-with-paste/nkgllhigpcljnhoakjkgaieabnkmgdkb?hl=en-US) |
|
Wontfix, OWASP no longer requires this https://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005) |
The AUTOCOMPLETE attribute is not disabled on an HTML FORM/INPUT element containing password type input. Password may be stored in browsers and retrieved.
Browsers will sometimes ask a user if they wish to remember the password that they just entered. The browser will then store the password, and automatically enter it whenever the same authentication form is visited. This is a convenience for the user. Additionally, some websites will offer custom “remember me” functionality to allow users to persist log ins on a specific client system.
Having the browser store passwords is not only a convenience for end users, but also for an attacker. If an attacker can gain access to the victim's browser (e.g. through a Cross Site Scripting attack, or through a shared computer), then that can retrieve the stored passwords. It is not uncommon for browsers to store these passwords in an easily retrievable manner, but even if the browser were to store the passwords encrypted and only retrievable through the use of a master password, an attacker could retrieve the password by visiting the target web application's authentication form, entering the victim's username, and letting the browser to enter the password.
To prevent browsers from storing credentials entered into HTML forms, include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
Please note that modern web browsers may ignore this directive. In spite of this there is a chance that not disabling autocomplete may cause problems obtaining PCI compliance.
The text was updated successfully, but these errors were encountered: