- Posts: 11
- Thank you received: 1
- English support forums
- Installation & update issues
- Disable Auto-Completion Enabled for Password Fields
Disable Auto-Completion Enabled for Password Fields
First post. I am hosting my our limesurver survey. I did a vulnerability scan of my server and it was tagged with:
"Auto-Completion Enabled for Password Fields"
"The web server running on this host uses password fields that allow autocompletion
by users' browsers. This could allow a user's credentials to be stored
by the browser and subsequently exposed if the user's computer becomes
CVSSv2: AV:L/AC:H/Au:N/C:P/I:N/A:N (1.20)"
"Modify the identified page so that the password field and
the enclosing form tags have an attribute named
"autocomplete" with a value of "off".
If this is a vendor application, contact the vendor for an
updated version of the application or guidance on
addressing this issue."
Was wondering how to address this in limesurvey?
- Posts: 11497
- Karma: 413
- Thank you received: 2080
Because it must be the choice of user to save his password or not …
source : security.stackexchange.com/a/104799/63436
Any attempt by any web-site to circumvent the browser's preference is wrong, that is why browsers ignore it. There is no reason known why a web-site should try to disable saving of passwords.
One another sentence i really like (maybe the most real)
From bugzilla.mozilla.org/show_bug.cgi?id=425145#c55 via security.stackexchange.com/q/49326/63436
possibly most importantly, forcing users to re-enter their password every time practically forces them to use a simple password - easy to remember, easy to type, probably even used on multiple websites. This obviously lowers overall security dramatically and thus poses a danger to security.