web application password auto-complete risk

pma111
pma111 used Ask the Experts™
on
We have ran a few vulnerability scanners over a few of our web apps, and one of the 'low risk' errors it flags is password auto-complete is enabled.

I went to the login page for the said system, which has an initial login page where users need to supply username & password combination, and 'viewed source' - which does show a line in the HTML of:

<p><label for="httpd_password">Password</label> <input name="httpd_password" type="password"></p>

This was the extract from the vulnerability assessment report. My question is, how big of a risk is this? I am not fully confident it does auto-complete anything, as if I log out the system aclose the browser and re-try access I am back to the login page where I need to enter my credentials again. Nothing has been auto completed for me?  Is something superseding this so called vulnerability to make it less of a problem, henc the low risk scoring - or is this something to be worried about? I haven't tried every browser to see how it behaves. Is it good practice to turn this off on any web app?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
From a user perspective, auto complete is local to the user's computer and is not a security risk assuming the user practices good password construction.

A good financial web page log the user out if they close the browser without logging out.

So from a user perspective, risks are (can be) minimal.
Developer & EE Moderator
Fellow 2018
Most Valuable Expert 2013
Commented:
The previous answer is not really on target as far as what your scan is referring to.

Look at the form tag instead.  It will look something like
<form action="/some_method_or_page" method="post" autocomplete="on">

Open in new window

The autocomplete attribute may be set to 'on' or missing.  Try adding autocomplete="off"

That prevents the form from remembering previous data. The irisk is User1 hits the form and proceeds to use your app. User2 hits the same form on the same machine and some or all of User1's data is displaying.  

While it is a low risk item, adding the autocomplete attribute to off makes it more user friendly when there will be multiple users on the same machine.

Author

Commented:
That's interesting, in the form attribute for the page it has no mention at all of autocomplete so I am guessing this is false positive.
Hi,

When the field have
type="password"

Open in new window

this allow the user to save password into the browser then the user no longer need to enter their credential so this is a sort of auto-complete.

By the way form and field may also have auto-complete setting and this can be ignore by the browser, but not
type="password"

Open in new window


So when a user save his pw to browser, anyone that have access to the computer can login without knowing the password, and this is very easy to find the information into the browser settings. To my opinion we should never allow this but in real world client may want this...

I would use
type="password"

Open in new window

only on login page (if you want to allow user to save it) .
I would not using else where, I ran into issue recently about this, it is not security problem but can cause big problem.

For example if an admin save his pw into the browser, log into the backend let say to edit other user profile or pw... password field will automatically filled by his own saved password if the field have the
type="password"

Open in new window

, as the field is blurred the admin will not see it and may save it wrong.
There are other similar cases, so to prevent this, I don't use
type="password"

Open in new window

for these fields  and  I blurred the field using my custom code.
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013

Commented:
That's interesting, in the form attribute for the page it has no mention at all of autocomplete so I am guessing this is false positive.

The default per the spec is to be on. If you leave it out, the feature is on and you have to set it to off.
https://www.w3.org/TR/html52/sec-forms.html#element-attrdef-autocompleteelements-autocomplete

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial