yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1731853] [NEW] Deprecation of password_autocomplete

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Nobuto Murata <nobuto@xxxxxxxxxxxxxxxxx>
Date: Mon, 13 Nov 2017 08:25:19 -0000
Reply-to: Bug 1731853 <1731853@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Currently, Horizon tries to prevent browsers' username/password auto-completion by default.
https://github.com/openstack/horizon/blob/9adb63643778a779c571b4898b315b582bf8fba8/openstack_dashboard/local/local_settings.py.example#L130-L132

However, modern browsers have become more eager to auto-fill forms as a
net gain[1] while preventing users' secret from filled in insecure
forms[2]. In the circumstances, blocking auto-filling does not offer
much security gains. It's time to deprecate the "password_autocomplete"
switch or at least flip the default value?

To address the point in the security guide[3], the flaw described there
exists regardless of the value of password_autocomplete. Because,
password_autocomplete just hides the fake form with CSS, but the
password is already filled by a browser on the HTML level. The assumed
another user already has the same privilege to see the saved password
since the password is already saved regardless of the value of
password_autocomplete.

[1] https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields
> Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.
> 
> For this reason, many modern browsers do not support autocomplete="off" for login fields

[2] https://developer.mozilla.org/en-US/Firefox/Releases/52#Security
> Autofill is also disabled on insecure login forms

[3] https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-07-is-password-autocomplete-set-to-false
> it introduces a flaw, as the user account becomes easily accessible to anyone that uses the same account on the client machine

** Affects: horizon
     Importance: Undecided
         Status: New

** Affects: ossp-security-documentation
     Importance: Undecided
         Status: New

** Also affects: ossp-security-documentation
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1731853

Title:
  Deprecation of password_autocomplete

Status in OpenStack Dashboard (Horizon):
  New
Status in OpenStack Security Guide Documentation:
  New

Bug description:
  Currently, Horizon tries to prevent browsers' username/password auto-completion by default.
  https://github.com/openstack/horizon/blob/9adb63643778a779c571b4898b315b582bf8fba8/openstack_dashboard/local/local_settings.py.example#L130-L132

  However, modern browsers have become more eager to auto-fill forms as
  a net gain[1] while preventing users' secret from filled in insecure
  forms[2]. In the circumstances, blocking auto-filling does not offer
  much security gains. It's time to deprecate the
  "password_autocomplete" switch or at least flip the default value?

  To address the point in the security guide[3], the flaw described
  there exists regardless of the value of password_autocomplete.
  Because, password_autocomplete just hides the fake form with CSS, but
  the password is already filled by a browser on the HTML level. The
  assumed another user already has the same privilege to see the saved
  password since the password is already saved regardless of the value
  of password_autocomplete.

  [1] https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields
  > Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.
  > 
  > For this reason, many modern browsers do not support autocomplete="off" for login fields

  [2] https://developer.mozilla.org/en-US/Firefox/Releases/52#Security
  > Autofill is also disabled on insecure login forms

  [3] https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-07-is-password-autocomplete-set-to-false
  > it introduces a flaw, as the user account becomes easily accessible to anyone that uses the same account on the client machine

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1731853/+subscriptions