Resolution in Brief

The following findings have come from a review by Broadcom Software Engineering in ticket DE51852.

1) Browsers have moved towards allowing the saving of username and passwords as a standard.

This functionality is working as expected in Clarity. This is not something that will be addressed further in product, as control rests with the browser environment.

2) Individual users may disable password saving at the browser level.

They may also secure access to the browser/browser data by other means.

These approaches work with Clarity if required.

Technical Background

For Clarity, the flag "autocomplete=off" is already set at the form level, in the login page.

However, by design many browsers will not honour this setting. They will still prompt for saving the credentials. This occurs at the browser level, and so applies to many products, and not only Clarity.

This page Mozilla Developer Network covers the theory well for many modern browers: How to turn off form autocompletion.  In particular this section:

________________

The autocomplete attribute and login fields

Modern browsers implement integrated password management: when the user enters a username and password for a site, the browser offers to remember it for the user. When the user visits the site again, the browser autofills the login fields with the stored values.

Additionally, the browser enables the user to choose a master password that the browser will use to encrypt stored login details.

Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.

For this reason, many modern browsers do not support autocomplete="off" for login fields:

• If a site sets autocomplete="off" for a <form>, and the form includes username and password input fields, then the browser still offers to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.
• If a site sets autocomplete="off" for username and password <input> fields, then the browser still offers to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.

This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11).

________________

That page also has a workaround at the section "Tools for disabling autocompletion," however it notes it is not a complete solution.

The page also covers editing the form to preventing autofilling with: autocomplete="new-password"
However, it notes again that not all browsers honour this.

Solutions on a Per User Basis

1) This issue arises when an attacker has access to the browser with the autocompleted information.
Standard methods of securing this page from unauthorised access, such as securing the operating system with a login password and timeout on inactivity or an o/s logout by the user, prevent many such opportunities.

2) Password Managers have also become a lot more common. Users with a password manager may avoid this issue. By design, they encourage higher security passwords, with less re-use, and may have features to avoid this scenario of password autocomplete. They also allows better site specific control, in addition to "all on" or "all off."

3) The recommended solution for a shared environment, in combination with the above, is for users to request their own browsers not to save passwords.

For example in Chrome the  "Offer to save passwords" option may be turned off by the users.
________________

Start or stop saving passwords

________________

See Additional Information for links to other sites which cover many browsers.Turn off the built in password manager in your browser