Open Stack

Recently, a security ticket was raised on the Horizon bug tracker [1] with the results from an audit, recommending that the autocomplete attribute be disabled for the password field.

The autocomplete attribute has historically been intended for things like email subject lines, where autocompletion of previous entries made no semantic sense in the context of the web form. Modern browsers treat password fields specially, and provide detailed and secure password management facilities which users must opt into. Usually these password stores are tied to the user's secure OS Keystore and protected by a master password. Since a user only has to remember one password, they use more secure passwords across the web, and are more likely to refrain from memory aids such as post-it-notes under the keyboard. This password management can typically be disabled by IT policy for organizations which do not believe it to be beneficial to their users.

Overzealous application of early guidelines related to autocomplete has produced a common recommendation to disable it for password fields. This advice is misguided, and typically produces less secure user behavior. In particular, it is common for users to enable browser flags which ignore this attribute, or install addons which disable it for the password field.

Given the usability issues this change introduces, I have opened a review which makes this value configurable in settings, so that organizations may disable password management at an institutional level, with a default value allowing secure password management by the browser.

https://review.openstack.org/#/c/21349/

-Paul

[1] https://bugs.launchpad.net/horizon/+bug/1116168