W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

[whatwg] Password managers ignoring autocomplete='off' harming security

From: Dan Poltawski <dan@moodle.com>
Date: Wed, 1 Oct 2014 20:19:39 +0100
Message-ID: <CADwQr5FQFsWH_q777C+L_yWF_qxEK13s6qcFCH+y0g5ny1+jWg@mail.gmail.com>
To: whatwg@lists.whatwg.org
Hi All,

Over the past few months all the browser vendors have moved towards
ignoring autocomplete="off" with password fields. I understand the
rationale behind this, but in our software project this has lead to
the frustrating situation where we seem to have no good option to deal
with this and the change is actively harming the security of our
users.

To outline the situation in broad terms:
* We have shared secrets on the page which we protect against shoulder
surfing by using the password element with autocomplete="off"
* The password managers are now all auto-filling these fields with
passwords on the same domain and in many cases without the user even
noticing (optional fields they wouldn't look at)
* The passwords then get stored in our shared-secret fields clear text
and available to all their peers
* This can then be used for privilege escalation etc

It seems like our only option is avoid use of password field at all
and invent our own 'fake' password field to protect our users
passwords from being exposed. That seems like a really disappointing
solution.

(Apologies in advance if this is completely off-list, I saw some
threads leading to this list and it wasn't clear to me if this sort of
discussion was acceptable).

cheers,
Dan
Received on Wednesday, 1 October 2014 19:20:24 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC