how to programmatically prevent passwords being saved?

Discussion in 'Computer Security' started by CoffeeGood, Nov 14, 2005.

  1. CoffeeGood

    CoffeeGood Guest

    Hi folks,

    I need to find a way either using Javascript, META tags,
    or some similar solution to prevent people who visit my
    webpage from having their passwords saved automatically
    in the browser. The reason is security: the webpage
    allows access to data that is critical, and if some other
    person were for instance to steal a laptop that has a
    saved password on it, that would be a major security issue.

    So to give an example of what I'm talking about, banks and other
    secure online systems prevent the automatic saving
    of passwords. The question is, how do they do that?

    Thanks.
     
    CoffeeGood, Nov 14, 2005
    #1
    1. Advertisements

  2. CoffeeGood

    Alun Jones Guest

    There is no way that the server can make the client do anything that the
    client does not wish to do.

    Imagine if you'd asked "How can I prevent people from writing down numbers
    that I read to them over the phone?", or something that more accurately
    represents your situation - you can ask, beg, plead, or command, but nothing
    you can do will guarantee to make it happen.
    I'd say the safest bet is to visit one or two such sites, and see what they
    do.

    For instance, among the various things my bank does, they include <input ...
    autocomplete="off"> to turn off autocomplete.

    I'll make a guess that there are likely to be several things to do here, and
    it's only a guess, because I'm not an HTML expert.

    But once again, any of these measures are only _requests_ to the client.
    They may very well be ignored, and should not be treated as "security".
    They are hints.

    Alun.
    ~~~~
    [Please don't email posters, if a Usenet response is appropriate.]
     
    Alun Jones, Nov 14, 2005
    #2
    1. Advertisements

  3. CoffeeGood

    Jim Guest

    CoffeeGood wrote...

    Don't use apache/server authentication, but use..
    autocomplete="off"
     
    Jim, Nov 14, 2005
    #3
  4. CoffeeGood

    Martin Guest

    Have you considered using something like a token if it's that critical?
     
    Martin, Nov 14, 2005
    #4
  5. If you are getting them to connect over an SSL link (and, if the data is
    remotely private - let alone critical - then you are) then the password is
    not saved by default on any platform that I know of.

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Nov 15, 2005
    #5
  6. CoffeeGood

    winged Guest

    But the user "can" save passwords on at least IE, Firefox, and Netscape
    over SSL. This paper you may find useful in solving your issue:

    http://crypto.stanford.edu/PwdHash/pwdhash.pdf

    Winged
     
    winged, Nov 15, 2005
    #6
  7. Actually, I'm not convinced that applies - if the laptop was stolen (the
    example given), then the hash would be identical.

    If the OP is determined to annoy his users by stopping them from
    /deliberately/ choosing the non-default option of storing his or her
    password, then you're looking at (e.g.) implementing a banking-style letter
    selection authentication (third letter, followed by first letter, and so
    on). That way, if the thief manages to lose the post-it stuck to the laptop,
    they won't be able to log in (cynic, moi?)

    The biggest challenge would not be writing the server-side scripting, but in
    trying to ensure that an entire unencrypted list isn't stolen if the site
    gets hacked.

    H1K
     
    Hairy One Kenobi, Nov 15, 2005
    #7
  8. CoffeeGood

    Winged Guest

    Secret here, don't get hacked. Ensure protected data does not live on
    the web server and the communication pipes are encrypted and triggered
    from the non-exposed server. Additionally ensure the data server ceases
    all communications on pipe error. Better to lose the service than the
    critical data.

    Winged
     
    Winged, Nov 16, 2005
    #8
  9. Hi there,

    Without having looked at such a system, I suppose the browser uses a
    combination of form URL, form name and input field name to save this
    information. So, just make them random enough and autocomplete should(!)
    stop working. E.g. instead of

    <form name="loginform" ...>
    <input type="text" name="login" ...>
    <input type="password" name="passwd" ...>
    </form>

    use something like

    <form name="loginform1982akje32471" ...>
    <input type="login" name="akajfe31746" ...>
    <input type="password" name="13fekj194719" ...>
    </form>

    You can have the field names derived from session ID or whatever.

    I haven't tried that though and nothing prevents browser people from
    becoming smart enough to autocomplete anyway. So if you want it real
    secure, use password generators or similar methods.

    Bye, Tino.
     
    Tino Schwarze, Nov 23, 2005
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.