«

Hi folks,

I need to find a way either using Javascript, META tags,
or some similar solution to prevent people who visit my
webpage from having their passwords saved automatically
in the browser. The reason is security: the webpage
allows access to data that is critical, and if some other
person were for instance to steal a laptop that has a
saved password on it, that would be a major security issue.

So to give an example of what I'm talking about, banks and other
secure online systems prevent the automatic saving
of passwords. The question is, how do they do that?

Thanks.

CoffeeGood wrote:
> I need to find a way either using Javascript, META tags,
> or some similar solution to prevent people who visit my
> webpage from having their passwords saved automatically
> in the browser. The reason is security: the webpage
> allows access to data that is critical, and if some other
> person were for instance to steal a laptop that has a
> saved password on it, that would be a major security issue.

There is no way that the server can make the client do anything that the
client does not wish to do.

Imagine if you'd asked "How can I prevent people from writing down numbers
that I read to them over the phone?", or something that more accurately
represents your situation - you can ask, beg, plead, or command, but nothing
you can do will guarantee to make it happen.

> So to give an example of what I'm talking about, banks and other
> secure online systems prevent the automatic saving
> of passwords. The question is, how do they do that?

I'd say the safest bet is to visit one or two such sites, and see what they
do.

For instance, among the various things my bank does, they include <input ...
autocomplete="off"> to turn off autocomplete.

I'll make a guess that there are likely to be several things to do here, and
it's only a guess, because I'm not an HTML expert.

But once again, any of these measures are only _requests_ to the client.
They may very well be ignored, and should not be treated as "security".
They are hints.

Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | .
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

CoffeeGood wrote...
> Hi folks,
>
> I need to find a way either using Javascript, META tags,
> or some similar solution to prevent people who visit my
> webpage from having their passwords saved automatically
> in the browser. The reason is security: the webpage
> allows access to data that is critical, and if some other
> person were for instance to steal a laptop that has a
> saved password on it, that would be a major security issue.
>
> So to give an example of what I'm talking about, banks and other
> secure online systems prevent the automatic saving
> of passwords. The question is, how do they do that?


Don't use apache/server authentication, but use..
autocomplete="off"

CoffeeGood wrote:
> Hi folks,
>
> I need to find a way either using Javascript, META tags,
> or some similar solution to prevent people who visit my
> webpage from having their passwords saved automatically
> in the browser. The reason is security: the webpage
> allows access to data that is critical, and if some other
> person were for instance to steal a laptop that has a
> saved password on it, that would be a major security issue.

Have you considered using something like a token if it's that critical?

"CoffeeGood" <> wrote in message
news: ups.com...
> Hi folks,
>
> I need to find a way either using Javascript, META tags,
> or some similar solution to prevent people who visit my
> webpage from having their passwords saved automatically
> in the browser. The reason is security: the webpage
> allows access to data that is critical, and if some other
> person were for instance to steal a laptop that has a
> saved password on it, that would be a major security issue.
>
> So to give an example of what I'm talking about, banks and other
> secure online systems prevent the automatic saving
> of passwords. The question is, how do they do that?

If you are getting them to connect over an SSL link (and, if the data is
remotely private - let alone critical - then you are) then the password is
not saved by default on any platform that I know of.

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

Hairy One Kenobi wrote:
> "CoffeeGood" <> wrote in message
> news: ups.com...
>
>>Hi folks,
>>
>>I need to find a way either using Javascript, META tags,
>>or some similar solution to prevent people who visit my
>>webpage from having their passwords saved automatically
>>in the browser. The reason is security: the webpage
>>allows access to data that is critical, and if some other
>>person were for instance to steal a laptop that has a
>>saved password on it, that would be a major security issue.
>>
>>So to give an example of what I'm talking about, banks and other
>>secure online systems prevent the automatic saving
>>of passwords. The question is, how do they do that?
>
>
> If you are getting them to connect over an SSL link (and, if the data is
> remotely private - let alone critical - then you are) then the password is
> not saved by default on any platform that I know of.
>
But the user "can" save passwords on at least IE, Firefox, and Netscape
over SSL. This paper you may find useful in solving your issue:

http://crypto.stanford.edu/PwdHash/pwdhash.pdf

Winged

"winged" <> wrote in message
news:dlc9n6$...
> Hairy One Kenobi wrote:
> > "CoffeeGood" <> wrote in message
> > news: ups.com...

<sip>

> > If you are getting them to connect over an SSL link (and, if the data is
> > remotely private - let alone critical - then you are) then the password
is
> > not saved by default on any platform that I know of.
> >
> But the user "can" save passwords on at least IE, Firefox, and Netscape
> over SSL. This paper you may find useful in solving your issue:
>
> http://crypto.stanford.edu/PwdHash/pwdhash.pdf

Actually, I'm not convinced that applies - if the laptop was stolen (the
example given), then the hash would be identical.

If the OP is determined to annoy his users by stopping them from
/deliberately/ choosing the non-default option of storing his or her
password, then you're looking at (e.g.) implementing a banking-style letter
selection authentication (third letter, followed by first letter, and so
on). That way, if the thief manages to lose the post-it stuck to the laptop,
they won't be able to log in (cynic, moi?)

The biggest challenge would not be writing the server-side scripting, but in
trying to ensure that an entire unencrypted list isn't stolen if the site
gets hacked.

H1K

Hairy One Kenobi wrote:
> "winged" <> wrote in message
> news:dlc9n6$...
>
>>Hairy One Kenobi wrote:
>>
>>>"CoffeeGood" <> wrote in message
>>>news: groups.com...
>
>
> <sip>
>
>>>If you are getting them to connect over an SSL link (and, if the data is
>>>remotely private - let alone critical - then you are) then the password
>
> is
>
>>>not saved by default on any platform that I know of.
>>>
>>
>>But the user "can" save passwords on at least IE, Firefox, and Netscape
>>over SSL. This paper you may find useful in solving your issue:
>>
>>http://crypto.stanford.edu/PwdHash/pwdhash.pdf
>
>
> Actually, I'm not convinced that applies - if the laptop was stolen (the
> example given), then the hash would be identical.
>
> If the OP is determined to annoy his users by stopping them from
> /deliberately/ choosing the non-default option of storing his or her
> password, then you're looking at (e.g.) implementing a banking-style letter
> selection authentication (third letter, followed by first letter, and so
> on). That way, if the thief manages to lose the post-it stuck to the laptop,
> they won't be able to log in (cynic, moi?)
>
> The biggest challenge would not be writing the server-side scripting, but in
> trying to ensure that an entire unencrypted list isn't stolen if the site
> gets hacked.
>
> H1K
>
>
Secret here, don't get hacked. Ensure protected data does not live on
the web server and the communication pipes are encrypted and triggered
from the non-exposed server. Additionally ensure the data server ceases
all communications on pipe error. Better to lose the service than the
critical data.

Winged

Hi there,

In comp.security.misc CoffeeGood <> wrote:

> I need to find a way either using Javascript, META tags,
> or some similar solution to prevent people who visit my
> webpage from having their passwords saved automatically
> in the browser. The reason is security: the webpage
> allows access to data that is critical, and if some other
> person were for instance to steal a laptop that has a
> saved password on it, that would be a major security issue.

Without having looked at such a system, I suppose the browser uses a
combination of form URL, form name and input field name to save this
information. So, just make them random enough and autocomplete should(!)
stop working. E.g. instead of

<form name="loginform" ...>
<input type="text" name="login" ...>
<input type="password" name="passwd" ...>
</form>

use something like

<form name="loginform1982akje32471" ...>
<input type="login" name="akajfe31746" ...>
<input type="password" name="13fekj194719" ...>
</form>

You can have the field names derived from session ID or whatever.

I haven't tried that though and nothing prevents browser people from
becoming smart enough to autocomplete anyway. So if you want it real
secure, use password generators or similar methods.

Bye, Tino.