First post. I am hosting my our limesurver survey. I did a vulnerability scan of my server and it was tagged with:
"Auto-Completion Enabled for Password Fields"
More specifically:
"The web server running on this host uses password fields that allow autocompletion
by users' browsers. This could allow a user's credentials to be stored
by the browser and subsequently exposed if the user's computer becomes
compromised.
CVSSv2: AV:L/AC:H/Au:N/C:P/I:N/A:N (1.20)"
and:
"Modify the identified page so that the password field and
the enclosing form tags have an attribute named
"autocomplete" with a value of "off".
If this is a vendor application, contact the vendor for an
updated version of the application or guidance on
addressing this issue."
I don't offer a solution, i really think this kind of advice is dumb …
Because it must be the choice of user to save his password or not …
Any attempt by any web-site to circumvent the browser's preference is wrong, that is why browsers ignore it. There is no reason known why a web-site should try to disable saving of passwords.
One another sentence i really like (maybe the most real)
possibly most importantly, forcing users to re-enter their password every time practically forces them to use a simple password - easy to remember, easy to type, probably even used on multiple websites. This obviously lowers overall security dramatically and thus poses a danger to security.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member,
professional service on demand
,
plugin development
. I don't answer to private message.
Last edit: 5 years 2 weeks ago by DenisChenu. Reason: One another sentence i really like
The following user(s) said Thank You: tpartner, evently, cdorin
