Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2 3 4

Author Topic: browsers offering to save login details - how to properly stop this  (Read 7762 times)

chenks

  • Reg Member
  • ***
  • Posts: 706

it seems every browser nowadays wants to "help" the user by prompting to save the username and password when logging into a website.
great for the lazy end-user, but bad for forcing people to actually log in properly each time, and bad for enforcing password changes when the end-user forgets their password because the browser is entering it for them.

we have some website here where we are enforcing regular password changes, and due to the end-user happily clicking "yes" when chrome asks them to save the details it means every 30 days the end-user not remembering the password they chose.

so i've been looking at some code to try and block the browser prompting this. it seems that the original method of "autocomplete=off" is no longer correctly honoured by "modern" browsers, most simpy ignore it.

so a method i saw was the hide the real form fields so the browser didn't see them a a login attempt, and the method i saw and tried works with Chrome, Opera and internet explorer, but not sodding Firefox!!

Code: [Select]
<input type="text" id="username" name="username"/>
<input type="password" id="password" name="password"/>

<form id="theForm" action="/your/login" method="post">
  <input type="hidden" id="hiddenUsername" name="username"/>
  <input type="hidden" id="hiddenPassword" name="password"/>
  <input type="submit" value="Login"/>
</form>

<script type="text/javascript" language="JavaScript">
  $("#theForm").submit(function() {
    $("#hiddenUsername").val($("#username").val());
    $("#hiddenPassword").val($("#password").val());
  });
  $("#username,#password").keypress(function(e) {
    if (e.which == 13) {
      $("#theForm").submit();
    }
  });
</script>

also, this method appears to shows the actuall password text in the browser.

so has anyone come up with a solid method that works in all browsers that doesn't result in weaker security?
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 5915
Re: browsers offering to save login details - how to properly stop this
« Reply #1 on: February 28, 2019, 11:41:22 AM »

First thing I will say is practices like forcing password changes has proven to be a false economy in turns of security, you get situations like users rotating two passwords and it makes it more likely someone will use a weak password.  In addition blocking people saving passwords has also proven a false economy, again it encourages weak passwords to be used if you are having to manually type it in.  This is a big reason why chrome developers now have blocked websites from blocking password auto filling.  If you also block copy and paste in password field's I suggest you stop that behaviour as well as thats another policy that encourages the use of weak passwords.

With that said I dont let my browser remember passwords for sensitive stuff like banking, however the banks are sensible that they dont enforce false economy practices such as regular password updates and preventing copy and paste.

I dont know the answer to your query other than to use drop down letter selections, that will stop it, but also make it a pain to input all the characters.  However what you could do is make it ask for say four random characters, some banks do this, so e.g. characters 3,6,11,17 from the password selectable in drop down selections.
Logged
AAISP - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

broadstairs

  • Kitizen
  • ****
  • Posts: 3195
Re: browsers offering to save login details - how to properly stop this
« Reply #2 on: February 28, 2019, 12:05:23 PM »

I must admit it does frustrate me when on the odd occasion a website does funny things with login pages. I dont see that allowing browsers to remember passwords is an issue. Firefox will prompt a user to update a password if the login details change. I try to use a different password for every login and the only other way to remember this would be to write them down which is a really daft thing to get users to do. Using a password manager of some sort is quite secure especially if it save the details encrypted.

Stuart
Logged
ISP:TalkTalk Connection:FTTC Cab:ECI Router:Netgear D6220

chenks

  • Reg Member
  • ***
  • Posts: 706
Re: browsers offering to save login details - how to properly stop this
« Reply #3 on: February 28, 2019, 02:33:32 PM »

the problem we are having is this.

we enforce a 30 day password reset/renewal - the password strength needs to be high (it doesn't allow a weak password to be used).
browsers saving the passwords kind of defeats the purpose of having one in the first place if someone who gains access to a desktop can then just load the page and have the browser auto fill in the security details. it also results in the user not remebering/knowing what their password is, so when they move computer or have to change it they end up having no idea what their password is currently.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 5915
Re: browsers offering to save login details - how to properly stop this
« Reply #4 on: February 28, 2019, 05:15:51 PM »

forgot password button solves the second problem.

For your other issue I would stop stressing over saved passwords and just add proper 2FA.  Not to mention the other solution I proposed would also work.
Logged
AAISP - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

chenks

  • Reg Member
  • ***
  • Posts: 706
Re: browsers offering to save login details - how to properly stop this
« Reply #5 on: February 28, 2019, 05:56:54 PM »

i have no idea what you mean by "drop down letter selections".
and i'm not sure what 2FA achieves, they still need to know the password.

a "forgot password button" isn't a solution IMO, it's a workaround. it still allows a user to have no idea what their password is.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 5915
Re: browsers offering to save login details - how to properly stop this
« Reply #6 on: February 28, 2019, 06:04:49 PM »

I dont know what most of my passwords are, which is a good thing.  If someone knows their password then it probably isnt a strong password.  I use a password manager, I let my browser remember passwords for sites like kitz, but not for things like banking sites.

Which is easier to remember?

mynameischris

or

dsfd89f789sfhdsjhf9s7f89syfhhs9

drop down is basically where you have a box you click on, and its like a menu with a-z0-9  so you select the letter or number, these dont work with auto password fill stuff.  So they have to be manually inputted by the end user.  But for a full password it would serve to just frustrate everyone, so typically they used on systems where you have to enter random parts of the password not the entire password.  You could even use basic input boxes, barclaycard do this, they ask for random parts of your pin, and because it changes every time you login the auto password system will fail.

What 2FA achieves is it solves the problem you was concerned about if the desktop got compromised, as they wouldnt be able to pass 2FA.

I dont know it seems you just been stubborn and want to just have a basic password auth screen that cannot be automated.  A practice that has been deemed by many security experts as bad and even to the point both chrome and firefox dev's specifically have made difficult to carry out.
« Last Edit: February 28, 2019, 06:11:56 PM by Chrysalis »
Logged
AAISP - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

chenks

  • Reg Member
  • ***
  • Posts: 706
Re: browsers offering to save login details - how to properly stop this
« Reply #7 on: February 28, 2019, 06:10:45 PM »

one of my passwords is a random string of characters with upper and lower case and numbers, yet i can remember it with no problems.
so is that not a strong password?

not stubborn at all, i'm asking how to do a specific thing. i didn't ask for opinion or how others would do it.

IMO having a browser save a user/pass equates to zero security. the user becomes oblivious to the level of security required to access.
they just enter it once click rememeber and they've washed their hands of it.
« Last Edit: February 28, 2019, 06:14:22 PM by chenks »
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 5915
Re: browsers offering to save login details - how to properly stop this
« Reply #8 on: February 28, 2019, 06:14:37 PM »

Then I will say you have above average memory skills.  Dont assume everyone has the same ability, and what happens if you using unique passwords on every site (recommended practice), do you remember them all?

You will find it difficult do what you want to do because browser developers specifically dont want you doing that.  So you need to change the authentication system to achieve your goals, you dont want automated logins, you dont want the ability to login via a compromised desktop.  Then add 2FA.
« Last Edit: February 28, 2019, 06:16:42 PM by Chrysalis »
Logged
AAISP - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

chenks

  • Reg Member
  • ***
  • Posts: 706
Re: browsers offering to save login details - how to properly stop this
« Reply #9 on: February 28, 2019, 06:17:39 PM »

i haven't forgotten a password yet, and my expectation of anyone using a system of mine to use a password they won't forget either (that matches the complexity that the system enforces ... ie it won't let them use "mynameischris").
if that results in them being frustrated then good, it's making them think about security, which can only be a good thing.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 5915
Re: browsers offering to save login details - how to properly stop this
« Reply #10 on: February 28, 2019, 06:18:59 PM »

I added a screenshot to show you what I mean.

Thats from lloyds bank, it has to be manually inputted every login.  It doesnt ask for that combination of characters every time either, it will randomise what it asks for.
Logged
AAISP - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 3334
Re: browsers offering to save login details - how to properly stop this
« Reply #11 on: February 28, 2019, 07:27:54 PM »

If I worked for you chenks I'd be saving my password in my password manager on my phone, if my wife worked for you she'd be writing it in her note book that's kept in her pocket!

We don't all have super memories, mine is terrible, Chris is right in what he's saying.

Changing a password every month is a nightmare, I have one service I use which forces that and prior to using a password manager at work I just used to reset the password whenever I logged in.

PS I have never kept passwords stored in a browser, chrome once used to store then in plain text.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 4365
Re: browsers offering to save login details - how to properly stop this
« Reply #12 on: February 28, 2019, 08:35:55 PM »

I actually do agree with Chenks here, that allowing a Browser to store passwords is a bad thing, for the reasons he cited earlier.    For similar reasons I do not use password managers, I depend entirely on own memory, which is pretty good when it comes to alphanumeric strings.  A useless skill of mine is that I can often “summon the memory” of all my own and my friends’ car registrations and phone number dating back to the 1970s. :)

That said, when faced with a service of any kind that imposes excessively arduous password constraints, my strategy is... how easily can it be reset when I forget?    If it can easily be reset then fine, I will use that service and just reset the password each time I forget it.

But if a service mandates arduous passwords, and won’t allow me to easily reset when I forget, I will if possible just “walk away” from that service, and find another means of doing whatever it is.
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 32216
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: browsers offering to save login details - how to properly stop this
« Reply #13 on: March 01, 2019, 01:03:14 AM »

Quote
I use a password manager, I let my browser remember passwords for sites like kitz, but not for things like banking sites.

This ^ 
Although I don't use a password manager for my bank account - but thats not to say its not something stupid.   
I have to prompt myself sometimes to figure it out if I'm having a brain fog day.

Quote
If I worked for you chenks I'd be saving my password in my password manager on my phone, if my wife worked for you she'd be writing it in her note book that's kept in her pocket!

Again this ^.   
At work we used to have to change passwords every 30 days and it had to have a mix of chars/numbers/case.   
After about a year it becomes a nightmare trying to think of a new password in a hurry, especially when you're attempting to log-in with a customer in front of you & the prompt to change passy comes up. 
I know for a fact that a lot of staff ended up writing down passwords on scraps of paper.  :(

Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 5915
Re: browsers offering to save login details - how to properly stop this
« Reply #14 on: March 01, 2019, 02:44:27 AM »

pretty much what kitz said.
Logged
AAISP - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab - LINE STATISTICS CLICK HERE
Pages: [1] 2 3 4