[openstack-dev] [horizon] Default to allow password management of login form

Gabriel Hurley Gabriel.Hurley at nebula.com
Wed Feb 6 20:31:27 UTC 2013


Personally I didn't care for this particular "security" patch to begin, so I'm in favor of leaving off the "automplete='off'" attribute. When the patch was proposed I simply didn't have any security-based argument against it and the feedback on the ticket seemed somewhat decided so I just let it go.

Worst-case, this could be configurable but not the default (for organizations who subscribe to checklist security policies), though simply reverting the patch entirely is also an option.

    - Gabriel

> -----Original Message-----
> From: Paul McMillan [mailto:paul.mcmillan at nebula.com]
> Sent: Wednesday, February 06, 2013 11:57 AM
> To: openstack-dev at lists.openstack.org
> Subject: [openstack-dev] [horizon] Default to allow password management
> of login form
> 
> Recently, a security ticket was raised on the Horizon bug tracker [1] with the
> results from an audit, recommending that the autocomplete attribute be
> disabled for the password field.
> 
> The autocomplete attribute has historically been intended for things like
> email subject lines, where autocompletion of previous entries made no
> semantic sense in the context of the web form. Modern browsers treat
> password fields specially, and provide detailed and secure password
> management facilities which users must opt into. Usually these password
> stores are tied to the user's secure OS Keystore and protected by a master
> password. Since a user only has to remember one password, they use more
> secure passwords across the web, and are more likely to refrain from
> memory aids such as post-it-notes under the keyboard. This password
> management can typically be disabled by IT policy for organizations which do
> not believe it to be beneficial to their users.
> 
> Overzealous application of early guidelines related to autocomplete has
> produced a common recommendation to disable it for password fields. This
> advice is misguided, and typically produces less secure user behavior. In
> particular, it is common for users to enable browser flags which ignore this
> attribute, or install addons which disable it for the password field.
> 
> Given the usability issues this change introduces, I have opened a review
> which makes this value configurable in settings, so that organizations may
> disable password management at an institutional level, with a default value
> allowing secure password management by the browser.
> 
> https://review.openstack.org/#/c/21349/
> 
> -Paul
> 
> [1] https://bugs.launchpad.net/horizon/+bug/1116168
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





More information about the OpenStack-dev mailing list