Wednesday, March 21, 2007

Web security and the autocomplete attribute

In this day and age, most web browsers offer some sort of a form autocompletion feature. IE, firefox, opera, saphari all have it. The browser will offer you to store your logon information and common form fields such as first name or address and fill them into appropriate forms. As far as I am concerned this feature was a blessing for the web security. Now, you would think, a user can choose proper, secure passwords for his various web sites without writing them down on sticky notes and without reusing the same ones over and over again.

Unfortunately this is not entirely true, since not one browser I know would allow for an easy and obvious way to backup the passwords and an easy and obvious way to use these from a portable medium such as a USB key or a mini CD. I know, that with a bit of skill, you can export IE and opera settings and backup firefox profile, but who is going to bother? This should be something the browser does for you transparently, for people to actually get into a habit of using such a feature properly. But back to the point. In Microsoft implementation, the autocomplete doesn't automatically fill the fields. If you go to a login page of some site it will present you with a choice of usernames and once you pick a username it will fill in the password if it was stored. Not very secure. Especially considering that by default every time you fill a form IE will prompt you to turn autocomplete on and once it is on, there is no indication, that your username is being stored. It will prompt for password. So, on a publicly accessible computer this feature becomes a privacy and security horror?

Not really. If you do not turn this feature on by default and do not bug user about it, no one in their right mind will turn it on on a public computer and a nicely evil restrictive user policy will help against those not in their right mind. Firefox also has a similar feature, where it will ask to remember your username and password, but the default answer is no and it will not remember your username by default without asking. So, what is the Microsoft solution? In IE 5.5, a new feature creeps in. The autocomplete attribute. Now anybody who is trying to design a login form can turn off the autocomplete for a particular form, or even for a particular control. Firefox, in a fit of moronic exitement, follows suite and implements support for this new non-standard attribute without thinking about consequences. I am fairly sure Opera recognizes autocomplete as well. So, for example, when browsing Chase online banking site you are not going to be prompted to remember the password you are entering. So, this is a good thing. You do not want to leave your bank account wide open, do you? No, I am not. But this is not a good thing. Why? Because it takes control over security from me, the user. Now, Chase Manhatten Bank decides that my bank login information is sensitive enough not to store it anywhere and not me. A lot of sites follow suite and use autocomplete attribute left and right without any regard to the actual risks of user accounts falling into the wrong hands. Some web site analyzer programs actually throw out a warning if they find a password field without autocomplete=off. So, now I cannot decide for myself if particular piece of information is important or not, this has been decided for me.

Promoting personal freedoms is a good thing, but do these restrictions actually help. Lets imagine a scenario where it helps. A user comes to an internet caffe and goes to check his bank account. When prompted to save his account information on a public computer that doesn't belong to him he inexplicably clicks yes (and mind you that just hitting enter wouldn't help, since even IE doesn't choose to store the password by default) and walks away. The next person goes to the same computer, happens to be an evil bandit, finds his username and voila all his money is gone, all his base are belong to us and the bandit is in his base killing his dudes. Well, this is bad, so instead we never offer him to remember his password. So, to accomodate to the fact that he has to remember his passwords once again by himself, the user in our example and a lot of other users revert back to the ways I described at the beginning of this post. They use the same password everywhere (or two, or three), they choose simple, easy to remember (and easy to crack) passwords, they leave sticky notes with passwords on the monitor etc. etc. etc. So to protect some shmuck who doesn't know that fire burns and guns kill MS have inconvenienced a lot of reasonable people into lowering their defenses. Is that still a Good Thing?


  1. He-he... very soon MS Vista descendant will not only open web sites it thinks you should visit, but will control your light bulb in the bathroom, by turning it off whenever you go in, so you can save energy =) We are coming into an age of Big Brother watching =)

  2. Congratulations on the new blog!

    One request: can you please format the postings with paragraphs? It's really hard to read a long text when it's all in one gigantic monolithic paragraph...

  3. Yes, I guess I need to pay more attention to the formatting.

  4. I can't fully agree with you. First, I think that the existence of autocomplete doesn't necessary mean the users started using more secure passwords. (For example, I didn't change my "password habits" because of autocomplete...) Majority of users will continue using lame "abcd", "123" and "password" as their passwords no matter what.

    Second, a fraud hits both user and the business. If someone reused autocompleted password and stole all the money from a banking account of some Joe Schmoe, not only Joe loses his money. The bank also suffers: it has to spend money on processing Joe's customer service requests; it has to investigate the issue; its reputation is spoiled and it faces a risk of litigation. And - here comes an interesting part - if Joe decides to sue the bank, the bank might easily lose the suit, because, though the means to prevent this incident (turning autocomplete off) existed, the bank didn't use them.

  5. Yes, as I said in my post, a few additional things are needed to make people use the auto-complete as the password storage (such as an ability to use your stored passwords transparently from a USB drive). Unfortunately, the autocomplete=off feature subverts the whole effort to make web browsing a little bit more secure. You are wrong about majority of users. People DO know about "evil hackers" and people DO know that some information is more sensitive (their bank accounts, their medical records etc.) then other information. They may still think that name of their cat or their son's birthday makes for a good password, but part of the reason for that is because they HAVE to memorize all their passwords.

  6. Well, these are not "few additional things" - it's more like complete redesign of the feature. You basically want a built-in private data manager, integrated with a browser, with removable device support. For this functionality it should support so much more... For example:
    - password protection and encryption of the data storage;
    - Identity management capabilities (I might want to use different identities for different groups of sites, so I can choose which name and address to provide, for example);
    - Stored data management (ability to easily remove data)

    In this case, this tool might also include password generation feature. The reason why people are using cats and dogs name is not only because they're easy to remember - but because they're easy to come up with. Password "GhTjji0089NN" is very secure - but it's impossible to come up with unless you just hit random keys (what I did just now).

    And here is yet another point. If you start using ultra-secure unmemorizable passwords, you are chained to your password storage device forever. Not sure users will like it.

  7. Well, you are wrong, a lot of features you mention are already there, they are just meaningless without the removable device support and are not very accessible (GUI design problems). Firefox profiles are basically identities, it allows to edit passwords and you can password protect your password storage. Almost everything you mentioned is there except portable storage support, password generation (would be VERY nice) and overall integration and friendliness.

  8. Firefox profiles do not work as identities unless you can use different profile for each page. Data management is also absent - I do not know the way to remove one of the passwords I store there (I do not consider direct data file editing as a way to do it). I am also not aware of any way to password-protect my stored data - which is a must for shared computers.

  9. Yes, switching between profiles requires browser restart, so I think you are right on that point. You are wrong on the other two counts, since there si an editor allowing you to delete any password you recorded (I think it is under preferences somewhere) and there is an ability to password protect the password store. Both have been around for a while, I seem to remember both being in the Mozilla suite.

  10. Web sites should not allow users to put up forms with . Password managers may fill in the password, thinking the form is a legitimate part of the site.

    You can probably check the "type" attribute for "input" elements against your whitelist at the same time you filter for XSS.