MAAS

Login form does not disable auto-completion

Bug #1298781 reported by Julian Edwards
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Fix Released
Medium
Graham Binns

Bug Description

Login credentials may be recovered by other users of the same computer. In combination with any cross-site scripting vulnerabilities that may exist, this vulnerability can potentially allow remote attackers to steal login credentials.

Disable autocomplete completely by setting the form’s autocomplete attribute to off.

Tags: netcraft

Related branches

lp:~gmb/maas/login-form-auto-complete-bug-1298781
Jeroen T. Vermeulen (community): Approve
Diff: 99 lines (+31/-9)
5 files modified
docs/conf.py (+2/-0)
src/maasserver/context_processors.py (+2/-1)
src/maasserver/templates/registration/login.html (+6/-1)
src/maasserver/views/tests/test_account.py (+19/-1)
src/provisioningserver/custom_hardware/seamicro.py (+2/-6)
Revision history for this message
Gavin Panella (allenap) wrote :

If making this change would prevents password managers like LastPass from working then I'm -1. I assume it does.

Changed in maas:
status: Triaged → Won't Fix
Revision history for this message
Graham Binns (gmb) wrote : Re: [Bug 1298781] Re: Login form does not disable auto-completion

On 28 March 2014 10:48, Gavin Panella <email address hidden> wrote:
> If making this change would prevents password managers like LastPass
> from working then I'm -1. I assume it does.

It doesn't: https://helpdesk.lastpass.com/extension-preferences/advanced/

"Respect AutoComplete=off: Allow websites to disable the Autofill
feature. This option is disabled by default."

So I think this would be safe for us to do it. If people are going to
let other users use their browser-with-signed-in-lastpass then there's
not much we can do to help them :).

Changed in maas:
status: Won't Fix → Triaged
Revision history for this message
Gavin Panella (allenap) wrote :

My feeling - and I don't know if there's data to validate this - is that use of a password manager, be it LastPass, 1Password, or one built into the browser, leads to better password behaviour: less duplication, and stronger passwords. Disabling auto-completion is an incentive to use a weak or previously-used password.

Revision history for this message
Graham Binns (gmb) wrote :

On 28 March 2014 16:21, Gavin Panella <email address hidden> wrote:
> My feeling - and I don't know if there's data to validate this - is that
> use of a password manager, be it LastPass, 1Password, or one built into
> the browser, leads to better password behaviour: less duplication, and
> stronger passwords. Disabling auto-completion is an incentive to use a
> weak or previously-used password.

I'd agree with your first statement; I'm dubious about the second.
Password strategies are personal; if someone's going to be lazy about
their passwords they're going to be lazy whether or not the browser
autocompletes for them (I know because I did this for years - had one
throwaway password for all the accounts about which I didn't care...
until of course I started caring about them. LastPass cured me of
that).

Anyway, I think we're rapidly heading towards the Dulux aisle at B&Q here.

Graham Binns (gmb)
Changed in maas:
status: Triaged → In Progress
assignee: nobody → Graham Binns (gmb)
Julian Edwards (julian-edwards)
Changed in maas:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.