Public bug reported: Currently, Horizon tries to prevent browsers' username/password auto-completion by default. https://github.com/openstack/horizon/blob/9adb63643778a779c571b4898b315b582bf8fba8/openstack_dashboard/local/local_settings.py.example#L130-L132
However, modern browsers have become more eager to auto-fill forms as a net gain[1] while preventing users' secret from filled in insecure forms[2]. In the circumstances, blocking auto-filling does not offer much security gains. It's time to deprecate the "password_autocomplete" switch or at least flip the default value? To address the point in the security guide[3], the flaw described there exists regardless of the value of password_autocomplete. Because, password_autocomplete just hides the fake form with CSS, but the password is already filled by a browser on the HTML level. The assumed another user already has the same privilege to see the saved password since the password is already saved regardless of the value of password_autocomplete. [1] https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields > Even without a master password, in-browser password management is generally > seen as a net gain for security. Since users do not have to remember > passwords that the browser stores for them, they are able to choose stronger > passwords than they would otherwise. > > For this reason, many modern browsers do not support autocomplete="off" for > login fields [2] https://developer.mozilla.org/en-US/Firefox/Releases/52#Security > Autofill is also disabled on insecure login forms [3] https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-07-is-password-autocomplete-set-to-false > it introduces a flaw, as the user account becomes easily accessible to anyone > that uses the same account on the client machine ** Affects: horizon Importance: Undecided Status: New ** Affects: ossp-security-documentation Importance: Undecided Status: New ** Also affects: ossp-security-documentation Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1731853 Title: Deprecation of password_autocomplete Status in OpenStack Dashboard (Horizon): New Status in OpenStack Security Guide Documentation: New Bug description: Currently, Horizon tries to prevent browsers' username/password auto-completion by default. https://github.com/openstack/horizon/blob/9adb63643778a779c571b4898b315b582bf8fba8/openstack_dashboard/local/local_settings.py.example#L130-L132 However, modern browsers have become more eager to auto-fill forms as a net gain[1] while preventing users' secret from filled in insecure forms[2]. In the circumstances, blocking auto-filling does not offer much security gains. It's time to deprecate the "password_autocomplete" switch or at least flip the default value? To address the point in the security guide[3], the flaw described there exists regardless of the value of password_autocomplete. Because, password_autocomplete just hides the fake form with CSS, but the password is already filled by a browser on the HTML level. The assumed another user already has the same privilege to see the saved password since the password is already saved regardless of the value of password_autocomplete. [1] https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields > Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise. > > For this reason, many modern browsers do not support autocomplete="off" for login fields [2] https://developer.mozilla.org/en-US/Firefox/Releases/52#Security > Autofill is also disabled on insecure login forms [3] https://docs.openstack.org/security-guide/dashboard/checklist.html#check-dashboard-07-is-password-autocomplete-set-to-false > it introduces a flaw, as the user account becomes easily accessible to anyone that uses the same account on the client machine To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1731853/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
