W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Password managers ignoring autocomplete='off' harming security

From: Gavin Sharp <gavin@gavinsharp.com>
Date: Wed, 1 Oct 2014 16:34:05 -0700
Message-ID: <CAHBT5m1CtOdKOnx+-ET2B+10ZFOmS5F9q4Z9ZG8dUGScJsFFsw@mail.gmail.com>
To: Dan Poltawski <dan@moodle.com>
Cc: whatwg <whatwg@lists.whatwg.org>
Firefox developer here (I was involved in our behavior change). Sorry
to hear that it's causing you trouble. Unfortunately this seems like a
pretty specific, uncommon use case, so we hadn't considered it. And we
probably aren't reasonably able to fix things for you without breaking
other more common use cases we care about (people using password
fields for passwords).

The underlying use case seems to be obfuscating text in an input field
that isn't a password. From a spec perspective, a feature to opt-in to
obfuscation that isn't type=password could address this (e.g.
type="masked-text"). From your perspective, I suppose you could work
around this by obfuscating the text in the field yourself rather than
letting the browser do it.

Gavin

On Wed, Oct 1, 2014 at 12:19 PM, Dan Poltawski <dan@moodle.com> wrote:
> Hi All,
>
> Over the past few months all the browser vendors have moved towards
> ignoring autocomplete="off" with password fields. I understand the
> rationale behind this, but in our software project this has lead to
> the frustrating situation where we seem to have no good option to deal
> with this and the change is actively harming the security of our
> users.
>
> To outline the situation in broad terms:
> * We have shared secrets on the page which we protect against shoulder
> surfing by using the password element with autocomplete="off"
> * The password managers are now all auto-filling these fields with
> passwords on the same domain and in many cases without the user even
> noticing (optional fields they wouldn't look at)
> * The passwords then get stored in our shared-secret fields clear text
> and available to all their peers
> * This can then be used for privilege escalation etc
>
> It seems like our only option is avoid use of password field at all
> and invent our own 'fake' password field to protect our users
> passwords from being exposed. That seems like a really disappointing
> solution.
>
> (Apologies in advance if this is completely off-list, I saw some
> threads leading to this list and it wasn't clear to me if this sort of
> discussion was acceptable).
>
> cheers,
> Dan
Received on Wednesday, 1 October 2014 23:34:30 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC