Password field "autocomplete" functionality in PPM and other products' form authentication on all browsers

book

Article ID: 143406

calendar_today

Updated On:

Products

CLARITY PPM FOR ITG Clarity PPM On Premise Clarity PPM SaaS

Issue/Introduction

Vulnerability Name: AutoComplete Attribute Not Disabled for Password in Form Based Authentication

Most modern web browsers allow storing of the username and password in web authentication forms.

This was not always the case. Why does this occur now?

 

There is a vulnerability concern that an unauthorised user can click through a web authentication form that has data filled in by autocomplete. Thus gaining access to sensitive data.

How can PPM and other products be safeguarded from this type of use? 

Environment

This is general advice for any web software, on most browsers (Chrome, Firefox, Edge, Safari, Internet Explorer etc).

The specific query originated from CA PPM, for any version.

Resolution

Resolution in Brief

The following findings have come from a review by Broadcom Software Engineering in ticket DE51852.

 

1) Browsers have moved towards allowing the saving of username and passwords as a standard.

This functionality is working as expected in PPM. This is not something that will be addressed further in product, as control rests with the browser environment.

 

2) Individual users may disable password saving at the browser level.

They may also secure access to the browser/browser data by other means.

These approaches work with PPM if required.

 

Technical Background

For PPM, the flag "autocomplete=off" is already set at the form level, in the login page.

However, by design many browsers will not honour this setting. They will still prompt for saving the credentials. This occurs at the browser level, and so applies to many products, and not only PPM.

 

This page Mozilla Developer Network covers the theory well for many modern browers: How to turn off form autocompletion.  In particular this section:

________________

The autocomplete attribute and login fields

Modern browsers implement integrated password management: when the user enters a username and password for a site, the browser offers to remember it for the user. When the user visits the site again, the browser autofills the login fields with the stored values.

Additionally, the browser enables the user to choose a master password that the browser will use to encrypt stored login details.

Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.

For this reason, many modern browsers do not support autocomplete="off" for login fields:

  • If a site sets autocomplete="off" for a <form>, and the form includes username and password input fields, then the browser still offers to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.
  • If a site sets autocomplete="off" for username and password <input> fields, then the browser still offers to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.

This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11).

________________

That page also has a workaround at the section "Tools for disabling autocompletion," however it notes it is not a complete solution.

The page also covers editing the form to preventing autofilling with: autocomplete="new-password"
However, it notes again that not all browsers honour this.

 

Solutions on a Per User Basis

1) This issue arises when an attacker has access to the browser with the autocompleted information.
Standard methods of securing this page from unauthorised access, such as securing the operating system with a login password and timeout on inactivity or an o/s logout by the user, prevent many such opportunities.

2) Password Managers have also become a lot more common. Users with a password manager may avoid this issue. By design, they encourage higher security passwords, with less re-use, and may have features to avoid this scenario of password autocomplete. They also allows better site specific control, in addition to "all on" or "all off."

3) The recommended solution for a shared environment, in combination with the above, is for users to request their own browsers not to save passwords.

For example in Chrome the  "Offer to save passwords" option may be turned off by the users: Manage passwords.
________________

Start or stop saving passwords

By default, Chrome offers to save your password. You can turn this option off or on at any time.

  1. On your computer, open Chrome.
  2. At the top right, click Profile   Passwords .
  3. Turn Offer to save passwords on or off.

________________

 

See Additional Information for links to other sites which cover many browsers.Turn off the built in password manager in your browser

 

 

 

 

 

 

Additional Information

Turning off Password Management on Different Browsers

These are but two of many pages on the internet offering advice on disabling autocomplete for user passwords against Edge, Chrome, Firefox, Internet Explorer and Safari. If you have a different browser, search for that browser name and key words such as "disable password autocomplete". 

Turn off the built-in password manager in your browser

How to Disable and Clear AutoFill Info in your Browser

 

Background Information for Developers

You can find similar advice by searching the internet for phrases such as "How to turn off form autocompletion +developers". For example, a similar discussion pages have been raised specifically for Chrome in this thread, with comments and suggestions which overlap the above Mozilla Developer page: Programmatically disabling Chrome auto-fill

 

Attachments