Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1060777 - [RFE] Disable password Auto-complete
Summary: [RFE] Disable password Auto-complete
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Users & Roles
Version: 6.0.3
Hardware: Unspecified
OS: Unspecified
urgent
urgent vote
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Katello QA List
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-03 15:05 UTC by Bryan Kearney
Modified: 2018-08-31 15:20 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-07-09 19:10:49 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 4239 None None None 2016-04-22 15:12:45 UTC
Red Hat Bugzilla 1468754 None CLOSED The password field in the Satellite 5 login form needs autocomplete disabled 2019-01-31 13:14:20 UTC

Internal Links: 1468754

Description Bryan Kearney 2014-02-03 15:05:03 UTC
Password fields should have auto-complete disabled explicitly.

http://doc.cenzic.com/sadoc9x14ba847/CPL0001034.htm

Comment 1 RHEL Product and Program Management 2014-02-03 15:20:21 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 3 Bryan Kearney 2014-04-25 13:53:52 UTC
 We don't set it on login pages, as that would disable password managers.

Comment 4 Greg Scott 2017-07-05 20:50:04 UTC
Re-opening this RFE because it needs to be revisited.  The current behavior is not a best security practice and is triggering customer audit failures because of the potential ugly scenario below.

Alice launches a browser and logs into Satellite.  The fields in the login form are *not* set to explicitly disable autocomplete, and Alice behaves like 99+ percent of the population and does not turn off autocomplete in her browser.

Alice logs into Satellite, performs her tasks, closes her browser, and finishes her shift for the day.

Later that night, Bob launches a browser from the same workstation.  Bob is mad at Alice and Bob wants to make everyone think Alice sabotaged the company.

Bob logs into Satellite as Alice.  He starts typing Alice's name in the username field. He types "A" and the fields in the login form conveniently populate - including the password field with Alice's password.

Bob impersonates Alice inside Satellite and wreaks havoc across the company.

This RFE was closed with WontFix because of password managers. The reasoning seems to be, the password is inside a password manager and the browser automatically fills it in, so the Satellite Admin doesn't need to know it.  

We need to revisit that decision.

I propose the following behavior as a bug fix for both Satellite 5 and 6:

Change the default behavior for all password fields to turn autocomplete off.  In cases where customers need autocomplete on, customers can override the default behavior by telling their browsers to remember the password.

For the RFE portion - for browsers with no ability to remember passwords, provide a Satellite configuration option enable autocomplete with password fields from the Satellite side.  Put in lots of text for why this is not a good idea and a confirmation for people who want to choose it.

Comment 5 Greg Scott 2017-07-07 15:14:41 UTC
I'm pasting in a request from the customer on this.  They're running Satellite 5.7.

**********

@Greg Scott — Is there any way to edit the source code of that login form (at least temporarily) while we wait on an RFE? I have tried locating where that login form is generated, but was unable to find it easily. It seems some portions of the web pages for Satellite are generated from Perl, other parts with Python, etc. It’s definitely not static HTML — at least, not anywhere I could find.

All that I need to do to remediate this is change this:
<form name="loginForm" id="loginForm" […]>

To this:
<form name="loginForm" id="loginForm" autocomplete="off" […]>

***********

Can we do anything to help them out? It will help get past a security audit.

Comment 6 Greg Scott 2017-07-07 15:22:51 UTC
And a question.  Having autocomplete in password fields really is a bug and not a feature.  The RFE portion is to provide an option to allow it - which might not even be a good idea.

Should I file a bug for Satellite 5 and another one for Satellite 6 to turn off autocomplete in password fields?  Or is it OK to leave the issue here?

thanks

- Greg

Comment 7 Brad Buckingham 2017-07-07 16:28:00 UTC
Satellite 5 and 6 are tracked separately within bugzilla; therefore, 2 bugzillas would be appropriate.

Comment 8 Greg Scott 2017-07-07 20:38:01 UTC
OK.  I did 2 more bugzillas.  

Satellite 6 at https://bugzilla.redhat.com/show_bug.cgi?id=1468759
Satellite 5 at https://bugzilla.redhat.com/show_bug.cgi?id=1468754


Note You need to log in before you can comment on or make changes to this bug.