[buddypress-trac] [BuddyPress Trac] #6269: Add autocomplete="off" to bp-login widget password field

Mon Mar 2 00:42:34 UTC 2015

#6269: Add autocomplete="off" to bp-login widget password field
-----------------------------+------------------------------
 Reporter:  Prometheus Fire  |       Owner:
     Type:  defect (bug)     |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  API              |     Version:
 Severity:  normal           |  Resolution:
 Keywords:                   |
-----------------------------+------------------------------

Comment (by netweb):

 Via one of the SO link above:

 > http://googlechromereleases.blogspot.ro/2014/04/stable-channel-
 update.html
 > Google Chrome's Daniel Xie writes:
 >
 >> As we’ve previously discussed, Chrome will now offer to remember and
 fill password fields in the presence of autocomplete=off. This gives more
 power to users in spirit of the priority of constituencies, and it
 encourages the use of the Chrome password manager so users can have more
 complex passwords. This change does not affect non-password fields.

 I like that statement and agree wholeheartedly with it.

 That said, I think AppScan is "doing it right" and BuddyPress should set
 `autocomplete=off`

 Another IBM application update, different app but same thoughts:
 > When the AUTOCOMPLETE attribute is not disabled, passwords and user
 names can be transparently stored by the browser, potentially exposing
 them to other users of the same workstation environment.
 >
 > An attacker would require local access to the user’s browser in order to
 exploit this vulnerability. The exposure of this issue was rated as High
 since users could access the application from shared public Internet
 terminals (such as an Internet café). Should access to the application be
 restricted to only authorized and secured workstations, then the exposure
 would be rated as Low.
 >
 > Resolution: Disable the AUTOCOMPLETE attribute on the form. For example:
 > {{{<FORM AUTOCOMPLETE = “off”></FORM>}}}

 Summarising, in the context of BP by setting `autocomplete=off` this
 allows IBM AppScan to pass as valid, it will also be ignored by Google
 Chrome and any other browser or password manager that ignores this.

 If you run an internet cafe and your allowing your customers to save
 passwords using a browsers password manager and sharing this with any and
 all customers using the same terminal then we cannot do anything about
 except weep if internet cafes are not using `chrome://flags` to disable
 autocomplete for their terminals.

 Secondly, if patched may have to also implement some of the changes from
 #WP24364 re:
 > When the user wants to change a setting on the Profile screen, the first
 password field is auto-filled. That results in error on submitting the
 form: "ERROR: You entered your new password only once...".

--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6269#comment:2>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac