how to programmatically prevent passwords being saved?

Discussion in 'Computer Security' started by CoffeeGood, Nov 14, 2005.

  1. CoffeeGood

    CoffeeGood Guest

    Hi folks,

    I need to find a way either using Javascript, META tags,
    or some similar solution to prevent people who visit my
    webpage from having their passwords saved automatically
    in the browser. The reason is security: the webpage
    allows access to data that is critical, and if some other
    person were for instance to steal a laptop that has a
    saved password on it, that would be a major security issue.

    So to give an example of what I'm talking about, banks and other
    secure online systems prevent the automatic saving
    of passwords. The question is, how do they do that?

    Thanks.
     
    CoffeeGood, Nov 14, 2005
    #1
    1. Advertising

  2. CoffeeGood

    Alun Jones Guest

    CoffeeGood wrote:
    > I need to find a way either using Javascript, META tags,
    > or some similar solution to prevent people who visit my
    > webpage from having their passwords saved automatically
    > in the browser. The reason is security: the webpage
    > allows access to data that is critical, and if some other
    > person were for instance to steal a laptop that has a
    > saved password on it, that would be a major security issue.


    There is no way that the server can make the client do anything that the
    client does not wish to do.

    Imagine if you'd asked "How can I prevent people from writing down numbers
    that I read to them over the phone?", or something that more accurately
    represents your situation - you can ask, beg, plead, or command, but nothing
    you can do will guarantee to make it happen.

    > So to give an example of what I'm talking about, banks and other
    > secure online systems prevent the automatic saving
    > of passwords. The question is, how do they do that?


    I'd say the safest bet is to visit one or two such sites, and see what they
    do.

    For instance, among the various things my bank does, they include <input ...
    autocomplete="off"> to turn off autocomplete.

    I'll make a guess that there are likely to be several things to do here, and
    it's only a guess, because I'm not an HTML expert.

    But once again, any of these measures are only _requests_ to the client.
    They may very well be ignored, and should not be treated as "security".
    They are hints.

    Alun.
    ~~~~
    [Please don't email posters, if a Usenet response is appropriate.]
    --
    Texas Imperial Software | Find us at http://www.wftpd.com or email
    23921 57th Ave SE | .
    Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
    Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
     
    Alun Jones, Nov 14, 2005
    #2
    1. Advertising

  3. CoffeeGood

    Jim Guest

    CoffeeGood wrote...
    > Hi folks,
    >
    > I need to find a way either using Javascript, META tags,
    > or some similar solution to prevent people who visit my
    > webpage from having their passwords saved automatically
    > in the browser. The reason is security: the webpage
    > allows access to data that is critical, and if some other
    > person were for instance to steal a laptop that has a
    > saved password on it, that would be a major security issue.
    >
    > So to give an example of what I'm talking about, banks and other
    > secure online systems prevent the automatic saving
    > of passwords. The question is, how do they do that?



    Don't use apache/server authentication, but use..
    autocomplete="off"
     
    Jim, Nov 14, 2005
    #3
  4. CoffeeGood

    Martin Guest

    CoffeeGood wrote:
    > Hi folks,
    >
    > I need to find a way either using Javascript, META tags,
    > or some similar solution to prevent people who visit my
    > webpage from having their passwords saved automatically
    > in the browser. The reason is security: the webpage
    > allows access to data that is critical, and if some other
    > person were for instance to steal a laptop that has a
    > saved password on it, that would be a major security issue.


    Have you considered using something like a token if it's that critical?
     
    Martin, Nov 14, 2005
    #4
  5. "CoffeeGood" <> wrote in message
    news:...
    > Hi folks,
    >
    > I need to find a way either using Javascript, META tags,
    > or some similar solution to prevent people who visit my
    > webpage from having their passwords saved automatically
    > in the browser. The reason is security: the webpage
    > allows access to data that is critical, and if some other
    > person were for instance to steal a laptop that has a
    > saved password on it, that would be a major security issue.
    >
    > So to give an example of what I'm talking about, banks and other
    > secure online systems prevent the automatic saving
    > of passwords. The question is, how do they do that?


    If you are getting them to connect over an SSL link (and, if the data is
    remotely private - let alone critical - then you are) then the password is
    not saved by default on any platform that I know of.

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Nov 15, 2005
    #5
  6. CoffeeGood

    winged Guest

    Hairy One Kenobi wrote:
    > "CoffeeGood" <> wrote in message
    > news:...
    >
    >>Hi folks,
    >>
    >>I need to find a way either using Javascript, META tags,
    >>or some similar solution to prevent people who visit my
    >>webpage from having their passwords saved automatically
    >>in the browser. The reason is security: the webpage
    >>allows access to data that is critical, and if some other
    >>person were for instance to steal a laptop that has a
    >>saved password on it, that would be a major security issue.
    >>
    >>So to give an example of what I'm talking about, banks and other
    >>secure online systems prevent the automatic saving
    >>of passwords. The question is, how do they do that?

    >
    >
    > If you are getting them to connect over an SSL link (and, if the data is
    > remotely private - let alone critical - then you are) then the password is
    > not saved by default on any platform that I know of.
    >

    But the user "can" save passwords on at least IE, Firefox, and Netscape
    over SSL. This paper you may find useful in solving your issue:

    http://crypto.stanford.edu/PwdHash/pwdhash.pdf

    Winged
     
    winged, Nov 15, 2005
    #6
  7. "winged" <> wrote in message
    news:dlc9n6$...
    > Hairy One Kenobi wrote:
    > > "CoffeeGood" <> wrote in message
    > > news:...


    <sip>

    > > If you are getting them to connect over an SSL link (and, if the data is
    > > remotely private - let alone critical - then you are) then the password

    is
    > > not saved by default on any platform that I know of.
    > >

    > But the user "can" save passwords on at least IE, Firefox, and Netscape
    > over SSL. This paper you may find useful in solving your issue:
    >
    > http://crypto.stanford.edu/PwdHash/pwdhash.pdf


    Actually, I'm not convinced that applies - if the laptop was stolen (the
    example given), then the hash would be identical.

    If the OP is determined to annoy his users by stopping them from
    /deliberately/ choosing the non-default option of storing his or her
    password, then you're looking at (e.g.) implementing a banking-style letter
    selection authentication (third letter, followed by first letter, and so
    on). That way, if the thief manages to lose the post-it stuck to the laptop,
    they won't be able to log in (cynic, moi?)

    The biggest challenge would not be writing the server-side scripting, but in
    trying to ensure that an entire unencrypted list isn't stolen if the site
    gets hacked.

    H1K
     
    Hairy One Kenobi, Nov 15, 2005
    #7
  8. CoffeeGood

    Winged Guest

    Hairy One Kenobi wrote:
    > "winged" <> wrote in message
    > news:dlc9n6$...
    >
    >>Hairy One Kenobi wrote:
    >>
    >>>"CoffeeGood" <> wrote in message
    >>>news:...

    >
    >
    > <sip>
    >
    >>>If you are getting them to connect over an SSL link (and, if the data is
    >>>remotely private - let alone critical - then you are) then the password

    >
    > is
    >
    >>>not saved by default on any platform that I know of.
    >>>

    >>
    >>But the user "can" save passwords on at least IE, Firefox, and Netscape
    >>over SSL. This paper you may find useful in solving your issue:
    >>
    >>http://crypto.stanford.edu/PwdHash/pwdhash.pdf

    >
    >
    > Actually, I'm not convinced that applies - if the laptop was stolen (the
    > example given), then the hash would be identical.
    >
    > If the OP is determined to annoy his users by stopping them from
    > /deliberately/ choosing the non-default option of storing his or her
    > password, then you're looking at (e.g.) implementing a banking-style letter
    > selection authentication (third letter, followed by first letter, and so
    > on). That way, if the thief manages to lose the post-it stuck to the laptop,
    > they won't be able to log in (cynic, moi?)
    >
    > The biggest challenge would not be writing the server-side scripting, but in
    > trying to ensure that an entire unencrypted list isn't stolen if the site
    > gets hacked.
    >
    > H1K
    >
    >

    Secret here, don't get hacked. Ensure protected data does not live on
    the web server and the communication pipes are encrypted and triggered
    from the non-exposed server. Additionally ensure the data server ceases
    all communications on pipe error. Better to lose the service than the
    critical data.

    Winged
     
    Winged, Nov 16, 2005
    #8
  9. Hi there,

    In comp.security.misc CoffeeGood <> wrote:

    > I need to find a way either using Javascript, META tags,
    > or some similar solution to prevent people who visit my
    > webpage from having their passwords saved automatically
    > in the browser. The reason is security: the webpage
    > allows access to data that is critical, and if some other
    > person were for instance to steal a laptop that has a
    > saved password on it, that would be a major security issue.


    Without having looked at such a system, I suppose the browser uses a
    combination of form URL, form name and input field name to save this
    information. So, just make them random enough and autocomplete should(!)
    stop working. E.g. instead of

    <form name="loginform" ...>
    <input type="text" name="login" ...>
    <input type="password" name="passwd" ...>
    </form>

    use something like

    <form name="loginform1982akje32471" ...>
    <input type="login" name="akajfe31746" ...>
    <input type="password" name="13fekj194719" ...>
    </form>

    You can have the field names derived from session ID or whatever.

    I haven't tried that though and nothing prevents browser people from
    becoming smart enough to autocomplete anyway. So if you want it real
    secure, use password generators or similar methods.

    Bye, Tino.
     
    Tino Schwarze, Nov 23, 2005
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Christian Dornes

    Migrate Saved Passwords?

    Christian Dornes, Dec 3, 2003, in forum: Firefox
    Replies:
    3
    Views:
    1,921
    Christian Dornes
    Dec 4, 2003
  2. Gregg
    Replies:
    6
    Views:
    801
    Gregg
    Mar 6, 2006
  3. Experienced but Undocumented

    Where are Basic Authentication passwords saved?

    Experienced but Undocumented, Jul 7, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    2,151
    WormWood
    Jul 7, 2004
  4. macka

    Saved passwords

    macka, Aug 29, 2006, in forum: Firefox
    Replies:
    3
    Views:
    466
  5. jimbo

    Passwords not Saved

    jimbo, Oct 25, 2006, in forum: Firefox
    Replies:
    1
    Views:
    428
    Mumia W. (reading news)
    Oct 26, 2006
Loading...

Share This Page