Kitz Forum

Internet => Web Hosting & Web Design => Topic started by: chenks on February 27, 2019, 12:20:59 PM

Title: browsers offering to save login details - how to properly stop this
Post by: chenks on February 27, 2019, 12:20:59 PM
it seems every browser nowadays wants to "help" the user by prompting to save the username and password when logging into a website.
great for the lazy end-user, but bad for forcing people to actually log in properly each time, and bad for enforcing password changes when the end-user forgets their password because the browser is entering it for them.

we have some website here where we are enforcing regular password changes, and due to the end-user happily clicking "yes" when chrome asks them to save the details it means every 30 days the end-user not remembering the password they chose.

so i've been looking at some code to try and block the browser prompting this. it seems that the original method of "autocomplete=off" is no longer correctly honoured by "modern" browsers, most simpy ignore it.

so a method i saw was the hide the real form fields so the browser didn't see them a a login attempt, and the method i saw and tried works with Chrome, Opera and internet explorer, but not sodding Firefox!!

Code: [Select]
<input type="text" id="username" name="username"/>
<input type="password" id="password" name="password"/>

<form id="theForm" action="/your/login" method="post">
  <input type="hidden" id="hiddenUsername" name="username"/>
  <input type="hidden" id="hiddenPassword" name="password"/>
  <input type="submit" value="Login"/>
</form>

<script type="text/javascript" language="JavaScript">
  $("#theForm").submit(function() {
    $("#hiddenUsername").val($("#username").val());
    $("#hiddenPassword").val($("#password").val());
  });
  $("#username,#password").keypress(function(e) {
    if (e.which == 13) {
      $("#theForm").submit();
    }
  });
</script>

also, this method appears to shows the actuall password text in the browser.

so has anyone come up with a solid method that works in all browsers that doesn't result in weaker security?
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Chrysalis on February 28, 2019, 11:41:22 AM
First thing I will say is practices like forcing password changes has proven to be a false economy in turns of security, you get situations like users rotating two passwords and it makes it more likely someone will use a weak password.  In addition blocking people saving passwords has also proven a false economy, again it encourages weak passwords to be used if you are having to manually type it in.  This is a big reason why chrome developers now have blocked websites from blocking password auto filling.  If you also block copy and paste in password field's I suggest you stop that behaviour as well as thats another policy that encourages the use of weak passwords.

With that said I dont let my browser remember passwords for sensitive stuff like banking, however the banks are sensible that they dont enforce false economy practices such as regular password updates and preventing copy and paste.

I dont know the answer to your query other than to use drop down letter selections, that will stop it, but also make it a pain to input all the characters.  However what you could do is make it ask for say four random characters, some banks do this, so e.g. characters 3,6,11,17 from the password selectable in drop down selections.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: broadstairs on February 28, 2019, 12:05:23 PM
I must admit it does frustrate me when on the odd occasion a website does funny things with login pages. I dont see that allowing browsers to remember passwords is an issue. Firefox will prompt a user to update a password if the login details change. I try to use a different password for every login and the only other way to remember this would be to write them down which is a really daft thing to get users to do. Using a password manager of some sort is quite secure especially if it save the details encrypted.

Stuart
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on February 28, 2019, 02:33:32 PM
the problem we are having is this.

we enforce a 30 day password reset/renewal - the password strength needs to be high (it doesn't allow a weak password to be used).
browsers saving the passwords kind of defeats the purpose of having one in the first place if someone who gains access to a desktop can then just load the page and have the browser auto fill in the security details. it also results in the user not remebering/knowing what their password is, so when they move computer or have to change it they end up having no idea what their password is currently.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Chrysalis on February 28, 2019, 05:15:51 PM
forgot password button solves the second problem.

For your other issue I would stop stressing over saved passwords and just add proper 2FA.  Not to mention the other solution I proposed would also work.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on February 28, 2019, 05:56:54 PM
i have no idea what you mean by "drop down letter selections".
and i'm not sure what 2FA achieves, they still need to know the password.

a "forgot password button" isn't a solution IMO, it's a workaround. it still allows a user to have no idea what their password is.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Chrysalis on February 28, 2019, 06:04:49 PM
I dont know what most of my passwords are, which is a good thing.  If someone knows their password then it probably isnt a strong password.  I use a password manager, I let my browser remember passwords for sites like kitz, but not for things like banking sites.

Which is easier to remember?

mynameischris

or

dsfd89f789sfhdsjhf9s7f89syfhhs9

drop down is basically where you have a box you click on, and its like a menu with a-z0-9  so you select the letter or number, these dont work with auto password fill stuff.  So they have to be manually inputted by the end user.  But for a full password it would serve to just frustrate everyone, so typically they used on systems where you have to enter random parts of the password not the entire password.  You could even use basic input boxes, barclaycard do this, they ask for random parts of your pin, and because it changes every time you login the auto password system will fail.

What 2FA achieves is it solves the problem you was concerned about if the desktop got compromised, as they wouldnt be able to pass 2FA.

I dont know it seems you just been stubborn and want to just have a basic password auth screen that cannot be automated.  A practice that has been deemed by many security experts as bad and even to the point both chrome and firefox dev's specifically have made difficult to carry out.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on February 28, 2019, 06:10:45 PM
one of my passwords is a random string of characters with upper and lower case and numbers, yet i can remember it with no problems.
so is that not a strong password?

not stubborn at all, i'm asking how to do a specific thing. i didn't ask for opinion or how others would do it.

IMO having a browser save a user/pass equates to zero security. the user becomes oblivious to the level of security required to access.
they just enter it once click rememeber and they've washed their hands of it.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Chrysalis on February 28, 2019, 06:14:37 PM
Then I will say you have above average memory skills.  Dont assume everyone has the same ability, and what happens if you using unique passwords on every site (recommended practice), do you remember them all?

You will find it difficult do what you want to do because browser developers specifically dont want you doing that.  So you need to change the authentication system to achieve your goals, you dont want automated logins, you dont want the ability to login via a compromised desktop.  Then add 2FA.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on February 28, 2019, 06:17:39 PM
i haven't forgotten a password yet, and my expectation of anyone using a system of mine to use a password they won't forget either (that matches the complexity that the system enforces ... ie it won't let them use "mynameischris").
if that results in them being frustrated then good, it's making them think about security, which can only be a good thing.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Chrysalis on February 28, 2019, 06:18:59 PM
I added a screenshot to show you what I mean.

Thats from lloyds bank, it has to be manually inputted every login.  It doesnt ask for that combination of characters every time either, it will randomise what it asks for.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Ronski on February 28, 2019, 07:27:54 PM
If I worked for you chenks I'd be saving my password in my password manager on my phone, if my wife worked for you she'd be writing it in her note book that's kept in her pocket!

We don't all have super memories, mine is terrible, Chris is right in what he's saying.

Changing a password every month is a nightmare, I have one service I use which forces that and prior to using a password manager at work I just used to reset the password whenever I logged in.

PS I have never kept passwords stored in a browser, chrome once used to store then in plain text.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: sevenlayermuddle on February 28, 2019, 08:35:55 PM
I actually do agree with Chenks here, that allowing a Browser to store passwords is a bad thing, for the reasons he cited earlier.    For similar reasons I do not use password managers, I depend entirely on own memory, which is pretty good when it comes to alphanumeric strings.  A useless skill of mine is that I can often “summon the memory” of all my own and my friends’ car registrations and phone number dating back to the 1970s. :)

That said, when faced with a service of any kind that imposes excessively arduous password constraints, my strategy is... how easily can it be reset when I forget?    If it can easily be reset then fine, I will use that service and just reset the password each time I forget it.

But if a service mandates arduous passwords, and won’t allow me to easily reset when I forget, I will if possible just “walk away” from that service, and find another means of doing whatever it is.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: kitz on March 01, 2019, 01:03:14 AM
Quote
I use a password manager, I let my browser remember passwords for sites like kitz, but not for things like banking sites.

This ^ 
Although I don't use a password manager for my bank account - but thats not to say its not something stupid.   
I have to prompt myself sometimes to figure it out if I'm having a brain fog day.

Quote
If I worked for you chenks I'd be saving my password in my password manager on my phone, if my wife worked for you she'd be writing it in her note book that's kept in her pocket!

Again this ^.   
At work we used to have to change passwords every 30 days and it had to have a mix of chars/numbers/case.   
After about a year it becomes a nightmare trying to think of a new password in a hurry, especially when you're attempting to log-in with a customer in front of you & the prompt to change passy comes up. 
I know for a fact that a lot of staff ended up writing down passwords on scraps of paper.  :(

Title: Re: browsers offering to save login details - how to properly stop this
Post by: Chrysalis on March 01, 2019, 02:44:27 AM
pretty much what kitz said.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 01, 2019, 11:18:51 AM
luckily i have a captive audience and the users have no choice but to use the system.
30 day password resets is a management request that is to be enforced.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Ronski on March 01, 2019, 01:23:01 PM
I appreciate what upper management can be like  :wall:, but that stance could be rather short sighted, resulting in passwords being written down.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 01, 2019, 01:26:22 PM
I appreciate what upper management can be like  :wall:, but that stance could be rather short sighted, resulting in passwords being written down.

passwords being written down won't happen (or shouldn't happen), as the users aren't allowed paper/notebooks etc.
mobile phones also not permitted.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Chrysalis on March 01, 2019, 06:36:27 PM
does your company allow management to be challenged?
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 01, 2019, 07:37:28 PM
does your company allow management to be challenged?

management as in managing director/owner.
their business, their rules.
plus we deal with customers personal details, so data access restriction is already tight.

i could easily offer my opinion on any proposal and it would be taken on board, but i agree with the implementation so nothing to challenge.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: sevenlayermuddle on March 01, 2019, 08:41:07 PM
Whilst accepting that Chenks has to do as his employer tells him, and in any case he agrees with it, my main concern would be...

If you impose arduous password policies, and stop people from writing them down, then people will have no option but to choose easily remembered passwords.   Such passwords can still long and complex, with special charcters etc.   They might be based on names of relatives or pets, or variations on their birthdays, phone numbers etc.  Requiring a new password every month is easily overcome by just appending “0119”, “0219”, “0319” etc.  That’s all stuff that is quite easy for a serious hacker to work out through social media.  Probably a lot easier than “mynameischris”, at least if use a ‘4’ for the ‘a’, a ‘1’ for the ‘i’, and your name’s not Chris.

As a customer, I’d not be happy to think my data was in the hands of a company that imposed these policies on staff.   But then, that is related to why I still refuse to use any form of online banking.  Banks in particular seem to be obsessed with tunnel vision of “ticking all the boxes” for security, whilst being somewhat oblivious to the obvious flaws in many such strategies.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 01, 2019, 09:21:09 PM
If you impose arduous password policies, and stop people from writing them down, then people will have no option but to choose easily remembered passwords.   Such passwords can still long and complex, with special charcters etc.   They might be based on names of relatives or pets, or variations on their birthdays, phone numbers etc.  Requiring a new password every month is easily overcome by just appending “0119”, “0219”, “0319” etc.  That’s all stuff that is quite easy for a serious hacker to work out through social media.  Probably a lot easier than “mynameischris”, at least if use a ‘4’ for the ‘a’, a ‘1’ for the ‘i’, and your name’s not Chris.

password policies can easy be applied to stop those types of passwords being used. office365 currently employs such a policy where a password isn't allowed that is deemed "weak" based on various factors (ie it won't let you just change a 1 to a 2 at the end of a password).

As a customer, I’d not be happy to think my data was in the hands of a company that imposed these policies on staff.   But then, that is related to why I still refuse to use any form of online banking.  Banks in particular seem to be obsessed with tunnel vision of “ticking all the boxes” for security, whilst being somewhat oblivious to the obvious flaws in many such strategies.

as a customer you'd want to ensure systems were properly secure, and that means good passwords.
would you be happy to know your data was behind a system where the operator could enter a password once and never have to type it in again?
that's not "secure" in my eyes. it's essentially the equivalent of putting your bank card into a cash machine, entering you code and it saying "do you want me to remember this?" and you saying yes, so every time you return to that cash machine it doesn't ask you for your pin.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Ronski on March 01, 2019, 09:27:37 PM
i haven't forgotten a password yet, and my expectation of anyone using a system of mine to use a password they won't forget either (that matches the complexity that the system enforces ... ie it won't let them use "mynameischris").
if that results in them being frustrated then good, it's making them think about security, which can only be a good thing.

I've just checked my password manager, I have 356 passwords stored, it would take someone truly exceptional to remember 356 (that's excluding ones on my works system) unique complex passwords of 12 characters or more.

passwords being written down won't happen (or shouldn't happen), as the users aren't allowed paper/notebooks etc.
mobile phones also not permitted.

Are a paperless office, yours must be the only one  ;) People are resourceful, they'll find ways or use something simple, like a password reset option, I wonder how many passwords will be reset once you stop the browser from saving them???
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 01, 2019, 09:30:04 PM
I've just checked my password manager, I have 356 passwords stored, it would take someone truly exceptional to remember 356 (that's excluding ones on my works system) unique complex passwords of 12 characters or more.

Are a paperless office, yours must be the only one  ;) People are resourceful, they'll find ways or use something simple, like a password reset option, I wonder how many passwords will be reset once you stop the browser from saving them???

password resets are monitored, so we can easily see how is resetting and how often.
however, if they want to reset every day then batter in i say, a password being changed every day is pretty secure and with the policy not allowing the same passsword to be used or changing it from password1 to password2 they'll soon run out of options :)
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 01, 2019, 09:31:59 PM
PS. I changed that password at work today, the one that changes every 30 days, I don't have a clue what it is, I don't need to, I have a long secure password, different to my home one that I use to unlock my password manager.

you either have a very bad memory you let some app choose a password for you.
out of interest, you seem to trust third party companies to manage your user accounts for you? what allows you to put your faith in some company that is in the business of making money.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Ronski on March 01, 2019, 09:37:15 PM
How do they reset that password, via email? And is that email account accessible without a password from the desktop?

I don't know if you read PC Pro, but there is a very good well respected security journalist who writes in there, and has done for years, his view is that a good password manager is more secure than the other options, and that combined with 2FA is even better.

Why do I put my trust in them, the same reason banks have my money, they are better looking after it than me looking after cash under the mattress so to speak, before I had a password manager most my passwords were the same or based on a few variations, and no my memory is not great.

PS. I changed that password at work today, the one that changes every 30 days, I don't have a clue what it is, I don't need to, I have a long secure password, different to my personal one that I use to unlock my password manager. Does that mean it's insecure? The irony is that the password I have to change every 30 days is just so I can release emails that a online system has decided is spam.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 01, 2019, 09:48:37 PM
email is not accessible without a password - office365 which also has a 30 day password reset policy.
via windows desktop which is not accesible without a password, again which has a password reset policy.

i assume you remember you pc/laptop login as you can't set that to save and log you in automatically, although in a home environment you can set it to have no password!

the reason i asked about your trust in the password manager, was simply a case of how do you know they are better at it than you? it's a faceless business you most likely know nothing about? it only takes one of these password manager companies being compromised and they have all your user account details (and don't say it'll never happen).
it's the same as all the people that assume that just because they are using a third party VPN that they are safe, they know nothing about the VPN companies and what they are doing with their data.

it's an interesting debate to have though.

2FA isn't really a viable option as it requires the end-user to have a mobile to get the code, which they aren't permitted to have on their person whilst in the office, and even if they did it would be tying a business account to a personal mobile.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: sevenlayermuddle on March 01, 2019, 10:39:42 PM
would you be happy to know your data was behind a system where the operator could enter a password once and never have to type it in again?
that's not "secure" in my eyes. it's essentially the equivalent of putting your bank card into a cash machine, entering you code and it saying "do you want me to remember this?" and you saying yes, so every time you return to that cash machine it doesn't ask you for your pin.

The card PIN comparison is interesting.   I have used the same few card PINs (varied for each account) for at least 20 years.  Unless I have reason to think somebody has discovered my PIN, I would not want to change it.   Most card issuers seem to agree, as they allow the customer to change the issued PIN to something they prefer.   

Back on topic, your quest to prevent browsers storing passwords...   Your organisation clearly has absolute control over environment, no paper notepads, no mobiles, etc.   So why not just impose an IT policy, such that all workstations are automatically reset daily, with browser caches cleared.     An even better option might be (though I am not expert here) to have diskless workstations, booted daily from a centrally administered image, thus instrinsically thwarting any attempt to store persistent local data?
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Ronski on March 02, 2019, 01:06:54 PM
email is not accessible without a password - office365 which also has a 30 day password reset policy.
via windows desktop which is not accesible without a password, again which has a password reset policy.

So there you have at least three passwords, which are changed regularly, I suspect a lot of people will struggle and resort to cheating one way or another. Do the three passwords have to be different, are there checks between the systems to enforce this? I could probably come up with a system to remember them if I had to, but may still rely on a cryptic clue somewhere.

Quote
i assume you remember you pc/laptop login as you can't set that to save and log you in automatically, although in a home environment you can set it to have no password!

All PC's have passwords, except two media centre PC's used for watching TV and nothing else, although they do actually have passwords but are set to auto sign in to the media PC standard user account. Yes I do remember my password for Windows, also my immediate families passwords for their user accounts as I administer the home network, my server's password, my home password manager, my works password manager, the works admin account password, various pins for alarms, cash machines, pin for my phone, pin protected apps on my phone, several online banking sites (not in password manager), there is a very long list when I think about. I have entered various passwords this morning setting up a more secure router at work and wi-fi networks, but I can't remember exactly what they are.

Quote
the reason i asked about your trust in the password manager, was simply a case of how do you know they are better at it than you? it's a faceless business you most likely know nothing about? it only takes one of these password manager companies being compromised and they have all your user account details (and don't say it'll never happen).

They are better than me because previously I use to use a selection of  relatively weak passwords, but over the years it became apparent that if one site was hacked that password and details could be used elsewhere, so I started using a password manager. Also articles I've read from security experts have re-enforced my view that this is more secure and a better user experience than trying to remember them all, there will always be attack vectors but like everything in life it comes down to compromises.

Someone I know has a system where they write a cryptic clue in a password protected document, that cryptic clue references a particular printed book so they can look up their passwords. This approach is all well and good until they need a password and don't have access to both items.

The bit in red bold in the quote above tells me you don't understand how password managers work, so you'll find the second link below enlightening. Mind you they could still be compromised, I suppose it would take the end users software to be compromised and then send the password database to the hackers.

https://happygeek.com/?page_id=33
https://www.alphr.com/features/380377/password-managers-are-they-safe-which-is-the-best  Quite an old article from 2013, but an interesting read
https://www.forbes.com/sites/daveywinder/2019/02/05/google-reveals-a-big-problem-with-passwords-on-safer-internet-day/#331feb2e5e0b   
https://itsecuritything.com/world-password-day-wont-solve-the-numbnuts-user-problem/

I recently spoke to someone that used the same password for everything, I frightened the life out of them  by showing them their email address was on https://haveibeenpwned.com/ and that meant quite possibly their password was on a dictionary list somewhere. Hopefully they are now changing them and using a password manager.

Quote
it's the same as all the people that assume that just because they are using a third party VPN that they are safe, they know nothing about the VPN companies and what they are doing with their data.

Yes appreciate that, but I'm not even sure that they assume, they just don't know any better, most will be oblivious to websites being hacked etc. I have a VPN back to my home, so if on a connection I don't trust I just turn my devices VPN on and I know my connection is secure, well in as much us I trust my hardware and my home ISP, there's those compromises again.

Quote
it's an interesting debate to have though.

It is indeed, it does make you think.

Quote
2FA isn't really a viable option as it requires the end-user to have a mobile to get the code, which they aren't permitted to have on their person whilst in the office, and even if they did it would be tying a business account to a personal mobile.

Appreciate the difficulties security causes for both side (employee's and employers), but employee's will cheat the system to make life easier, ultimately what it needs is reliable biometric authentication. I say reliable because my finger print doesn't always unlock my phone - if I've been doing physical work then the finger print is harder to recognise.

Do the employees have no pens, hand bags, wallets etc?
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 02, 2019, 04:57:00 PM
Do the employees have no pens, hand bags, wallets etc?

not at their desks, no.
all personal items are in lockers away from the "work floor".

no paper/pen is required as they shouldn't be writing anything down (we deal with personal details including names, addresses, phone numbers, email addresses, which can include refuge/womans aid locations), so data security is a top priority. the people are permitted to have a small personal "white board" with a supplied marker pen, which gets wiped down/cleared after the reason for using is has passed (and certainly wiped at the end of each day).
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Chrysalis on March 03, 2019, 01:22:06 PM
chenks the reason password managers exist and its deemed bad to enforce manually typed passwords as well as frequent resetting is that they all policies proven that encourage weak passwords and make it more likely they written down, you dealing with humans not robots, like ronski i have triple digit number of passwords as well.

since you dont trust 3rd parties why not develop your own app for the login interface instead of a browser coded by a 3rd party, then its your app your rules.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 03, 2019, 03:34:25 PM
only if the password policy being enforced allows weak passwords, which is doesn't.
writing down the password in this instance would be pointless as it wouldn't be on the desk with them.

we do have own own "app" for the login interface, it's called the web browser with a standard login page where we require the user to manually enter their username and password. we don't want anything to be auto filling in anything, be it the browser or a a password manager.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Ronski on March 03, 2019, 04:42:47 PM
I've come to appreciate chenks position on this, I wonder if the employee's are given advice on creating memorable passwords?

As I said above what it really requires is biometric authentication, perhaps coupled with a swiped security card. The operatives picture could also be taken and stored against the logins. This technology exists now, the government are quite happy to use it with my passport.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: sevenlayermuddle on March 03, 2019, 05:05:03 PM
Ncsc offer specific guidance on some of the things being discussed.

On protection against password guessing...

https://www.ncsc.gov.uk/guidance/password-guidance-summary-how-protect-against-password-guessing-attacks

On password expiry policies (linked from above)...

https://www.ncsc.gov.uk/blog-post/your-password-expiry-policy-may-have-reached-its-expiry-date




Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 03, 2019, 05:08:16 PM
I've come to appreciate chenks position on this


eeek!, isn't that the first harbinger of the apocalypse?
Title: Re: browsers offering to save login details - how to properly stop this
Post by: d2d4j on March 03, 2019, 05:54:47 PM
Hi

I think 7lm sums it up

Password expiry is a blunt instrument that casts a long shadow over organisational security. We should call time on this outdated and ineffective practice.

As taken from 7lm last link

I only read quickly but there are parts missing re passwords, which are not widely know such as password length should be an uneven number - reason been crackers use 4 character hacks (simplistic term)

I would be interested to know though, if this is the client who is using server 2008, outdated php and iis and sql 2005

Please feel free to ignore

Many thanks

John
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Ronski on March 03, 2019, 06:35:43 PM

eeek!, isn't that the first harbinger of the apocalypse?

Not quite, whilst I appreciate the need for security and not storing passwords in browsers, or using password managers I do think changing passwords as regularly as every 30 days is rather OTT and must cause some people quite a bit of stress.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 03, 2019, 06:38:40 PM
Not quite, whilst I appreciate the need for security and not storing passwords in browsers, or using password managers I do think changing passwords as regularly as every 30 days is rather OTT and must cause some people quite a bit of stress.

to be fair, with the mount of staff turn over (due to the nature of the work and the type of calls they tend to receive), some never need to change it  ;D
Title: Re: browsers offering to save login details - how to properly stop this
Post by: sevenlayermuddle on March 03, 2019, 08:16:11 PM
I still don’t ‘get’ the logic that bars employees from using password managers or writing down passwords on slips of paper.   In that scenario, I’d probably carry a pad of paper, leaving it in my car in the car park.   Each time I need to change password, I’d make a note after I’d left the office, whilst fresh in mind.   And each morning, I’d check it, so I could remember it long enough to get to my desk.  And then, rules being rules, rather than carry that slip of paper safely in my wallet, I’d leave it in my car, with password visible to anybody who gained sight.

Interestingly, one of the GCHQ/NCSC links I provided earlier, actually suggests that users should be encouraged to use password managers, or to simply write them down.

https://www.ncsc.gov.uk/guidance/password-guidance-summary-how-protect-against-password-guessing-attacks

Quote
Store your passwords rather than trying to remember them all. This enables you to use longer, stronger, unique passwords and change them whenever you want, without making life too hard for yourself. There are two ways you can do this:

It also makes the point, as I interpret it, that while passwords might relied upon by users to protect their own data, they should not be relied upon by systems providers as a means of protecting organisation data...

Quote
If attackers are able to access your systems remotely by guessing users’ passwords, then those systems are not effectively protected; don’t blame the users in this situation.

Title: Re: browsers offering to save login details - how to properly stop this
Post by: Chrysalis on March 03, 2019, 08:21:57 PM
i got no issue with the need for tight security, on that i can relate, i suppose the issue is the rigidity and old practices been used, im curious what solution you end up carrying out tho
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 04, 2019, 07:59:52 AM
I still don’t ‘get’ the logic that bars employees from using password managers or writing down passwords on slips of paper.   In that scenario, I’d probably carry a pad of paper, leaving it in my car in the car park.   Each time I need to change password, I’d make a note after I’d left the office, whilst fresh in mind.   And each morning, I’d check it, so I could remember it long enough to get to my desk.  And then, rules being rules, rather than carry that slip of paper safely in my wallet, I’d leave it in my car, with password visible to anybody who gained sight.

Interestingly, one of the GCHQ/NCSC links I provided earlier, actually suggests that users should be encouraged to use password managers, or to simply write them down.

https://www.ncsc.gov.uk/guidance/password-guidance-summary-how-protect-against-password-guessing-attacks

It also makes the point, as I interpret it, that while passwords might relied upon by users to protect their own data, they should not be relied upon by systems providers as a means of protecting organisation data...

i never said anyone was barred from using a piece of paper, only that paper/notepads are not permitted on the workfloor.
password managers (although i am against them in general) would the require the user to have yet another username/password (to gain access to the password manager), and as hot-desking is quite common what's to stop them from forgetting the password for that? and if they need to remember it, what stops them from making it an easily guessed password? seeing as they couldn't, i assume, store that password in the password manager.

leaving the piece of paper in your car is fine as the system in question has no external/public access, it's purely internal, so unless it was another member of staff that say the piece of paper with all your passwords on it, it wouldn't be an issue.

if someone other than the owner was to use the password on that piece of paper to gain access to the system then both would be dismissed. 1 for breach of computer misuse act and the other for allowing username/password data to be breached.

anyway, we've drifted quite far off the original topic, which was a question about how to do something. it wasn't a question about whethet something should be done.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: CarlT on March 05, 2019, 11:17:08 PM
the reason i asked about your trust in the password manager, was simply a case of how do you know they are better at it than you? it's a faceless business you most likely know nothing about? it only takes one of these password manager companies being compromised and they have all your user account details (and don't say it'll never happen).

A password manager company has been compromised. The attackers got nothing of value despite having access to the database.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 06, 2019, 10:53:24 AM
which company was that?
out of interest, those that do use password managers, which do you use? Lastpass appears to get top marks from the usual websites, although you usually have to take those "articles" with a pinch of salt.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Chrysalis on March 06, 2019, 08:16:09 PM
I use keeppass, I plan to switch to keeppass2 for the reason when it generates passwords it avoids lookalike characters, Its an offline password manager.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Ronski on March 06, 2019, 10:09:30 PM
which company was that?
out of interest, those that do use password managers, which do you use? Lastpass appears to get top marks from the usual websites, although you usually have to take those "articles" with a pinch of salt.

I use both Roboform and Lastpass, which was hacked back  in 2015 as mentioned in one of the articles I previously linked to.

https://www.lastpass.com/security/what-if-lastpass-gets-hacked
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 07, 2019, 08:03:28 AM
not sure if that's the same story as i noticed the other day, but apparently the lastpass extension had exploits which would allow hackers to gain access to all passwords. (from 2017 https://www.zdnet.com/article/lastpass-acknowledges-browser-extension-vulnerability-working-on-fix/)
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Ronski on March 07, 2019, 10:30:47 AM
No that's a different story, the one you linked to was discovered and patched prior to being exploited by the bad guys (as far we know).
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Alex Atkin UK on March 25, 2019, 04:06:43 PM
All I can say is I simply couldn't work at a company with that policy.  I wouldn't be able to remember the password from locking my notepad away to getting to the desk.  I can memorise complex passwords (or could, haven't tried in a while), but by the time I had the 30 day reset would come around.

My mum is locked out of her online prescription service because she can't reset her password without going into the GP surgery and she is housebound.

People are incredibly narrow minded when it comes to these things.  I highly suspect the average person has a far worse memory than the people making these decisions.

I did indeed used to use just a couple of password for every site, they have since been compromised and I can't remember every site they were used on so I have no idea if one day I will find a site I used years ago has been compromised.  I can only hope all those sites reset the passwords once they were aware of the issue.

Since storing my passwords in Firefox I have been more random with my passwords.  Facebook doesn't let you use the same password twice, this resorted in me switching from a long password that has never been compromised to a short one to aid memory.  You see how that makes no sense?

If you are truly that paranoid, biometrics is the only answer IMO.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: sevenlayermuddle on March 25, 2019, 06:35:22 PM
The most bonkers site I have come across re security is a certain UK bank, that invalidate your online details if you go more than (I think) three months, without logging in.  In itself, that would not be so bad, as you then need to reregister, which involves interacting with an old fashioned letter delivered through the letterbox, and of course invalidating the old password and dongle,  and proving your identity.   But... whilst you can  re-register as many times as you like, each time re-register, you also need to use a different email address.    ???

I have no idea why they think that insisting upon a different email address adds anything to security, other than falling into the trap of believing that “because it is more awkward, it must be more secure.” :D
Title: Re: browsers offering to save login details - how to properly stop this
Post by: chenks on March 26, 2019, 08:18:21 AM
The most bonkers site I have come across re security is a certain UK bank, that invalidate your online details if you go more than (I think) three months, without logging in.  In itself, that would not be so bad, as you then need to reregister, which involves interacting with an old fashioned letter delivered through the letterbox, and of course invalidating the old password and dongle,  and proving your identity.   But... whilst you can  re-register as many times as you like, each time re-register, you also need to use a different email address.    ???

I have no idea why they think that insisting upon a different email address adds anything to security, other than falling into the trap of believing that “because it is more awkward, it must be more secure.” :D

i suspect, in this instance, it's simply bad coding where in realitythe old online "account" hasn't actually been deleted but is still there, hence why the requirement to use a "new" email address". the old email address will still be there in the system somewhere.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: sevenlayermuddle on March 26, 2019, 03:53:26 PM
i suspect, in this instance, it's simply bad coding where in realitythe old online "account" hasn't actually been deleted but is still there, hence why the requirement to use a "new" email address". the old email address will still be there in the system somewhere.

You may well be right.  But it still leaves me with the feeling that the bank’s implementation of security process, whilst conforming to every tick-box known to the industry,  was entrusted to their “B Team” of programmers.   :)
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Chrysalis on March 26, 2019, 03:55:28 PM
Given the postal system itself is a security issue, I think a policy of requiring people to go through that process after 3 months is bad for security not good for it.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: sevenlayermuddle on March 26, 2019, 04:36:20 PM
To be fair, my experience was that of a business account, and of individual persons authorised to access that account on behalf of the company.   

They may argue that if Fred hasn’t logged in for a while, Fred may have left the company, so best to make sure the company is still happy for Fred to have access to the pennies.   So I can sympathise with the fact there’s an innactivity timeout.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Chrysalis on March 29, 2019, 11:33:20 AM
Then they just ask the administrator of the account to reauthorise Fred to access, no need for a full on postal ID check again.

I just had similar issue with betfair it seems.  I had a horrible process to follow when I had to verify my ID as I refused to send it without written agreement from them the data will be destroyed which they kept refusing, eventually they agreed and my account got "ID verified", then today I tried to login a couple of years later and its disabled for "lack of ID verification", I assume its not a one off thing and they expect people to take this security risk practice at intervals.

Skybet also disabled me after a period of time last year, and bet365 have done it as well, seems common practice in betting industry to routinely disable accounts that arent active, then of course if they want to be used again you have to jump through walls, although in the case of bet365 a phone call was enough, but in my opinion that shouldnt even be needed.  Skybet wanted my photo ID again.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Ronski on March 29, 2019, 01:17:00 PM
I used my Betfair account for the first time in a long time the other week and logged in with no issues.
Title: Re: browsers offering to save login details - how to properly stop this
Post by: Chrysalis on March 30, 2019, 02:31:26 PM
Well maybe they werent happy with my request and disabled me for that reason who knows, but it states the reason as requiring identity and that was supplied.

Its even been completely closed.

Quote
Access to this account is denied - this account has been closed. Please contact us if you have any questions.