I noticed a while ago that many security professionals advise their customers to use ‘autocomplete=off’ in the password fields of login screens. It also started to scratch an itch on me when my password manager never stored passwords for a few websites. And I started to look for opinions before forging my own.
Websites advising to disable autocomplete
What are the advantages of disabling autocomplete
The two main advantages for the security are the following:
- Avoid caching sensitive data on client site (CC numbers)
- Avoid storing the password in an insecure and hackable client-site database
The first bullet is in my opinion completely legitimate. Some information, like credit card numbers, should not be remembered in the web forms, because there is nothing that can let the browser understand that this field is sensitive, that its content should not be stored unencrypted on the hard drive and shown in plaintext at the first occasion when the user types a few digits in a text box (and be victim of shoulder eavesdropping). However passwords are different. They have their own class of input box and browsers know how to manage them. I will come to this later.
The second advantage of that policy is that passwords won’t be remembered in the case the user’s computer has been hacked. That’s true in a few occasions, like when the user has malware on his computer or his laptop gets lost/stolen. I would respond that no software password management solution can really help when the end user computer cannot be trusted. In many case, malware can just wait for the user to type his password to steal it. To efficiently protect against malware, users should be provided a physical device to be used to authenticate and sign any sensitive operation. That’s the only working mitigation in my opinion, we use these in Belgium for e-banking and it’s working pretty well.
Now, let’s get started with the cons of autocomplete=off
The most problematic drawback of autocomplete policies is that they interact badly with password managers. Password managers are in my opinion the best we can do to work around the inherent insecurity of passwords : don’t remember your password, let your password manager do it for you (and better. And without writing it down in plaintext). When you’re setting autocomplete=off, you’re effectively opting out of all the advantages password managers provide to users, and which are specifically designed to avoid some pitfalls, like the stolen laptop scenario.
The policy hard to change locally: the security policy is completely at the control of the server, which means users don’t control how they manage the security of their credentials, unless their password manager willingly override the autocomplete attributes.
A big issues is also the consequence on the security of passwords chosen by users for these services. Let’s say that you have to choose a password for a web service. This password:
- Has to be >8 characters, including capitals, ciphers and special characters (i.e. hard to remember)
- Cannot be stored on your computer or on paper for further reference (i.e. has to be remembered)
- Cannot be shared with other websites
- Must sometimes be written on embedded devices like a smartphone
Tell me how I am supposed to fulfill these requirements if I need 20 websites daily to do my work ? (my password manager has an hundred of entries). It’s simply impossible. As a consequence, users are going to work around this policy and either choose a very simple password, or a somewhat strong password that is the same on all services. The password manager permits the user to store secure password on a per-service basis. Breaking the password manager exposes the user to all the other behaviors. The lack of good web password managers on mobile platforms is also one of the reasons for poor passwords (no caps, special letters, ciphers) and password reuse on these devices.
Password managers protect against phishing. Don’t believe it ? Just go on a website (phishing site) that has nothing to do with the legitimate website, and you don’t see the password autocompleting itself. This should ring a bell even to inexperienced users. They may not even know the password, and having to add a few steps in order to get the password will probably put distance between the user and the fisher.
Please note that if you combine this policy and at the same time disable copy and paste into the password fields (I look at you, Blizzard!), I hate you. Your policy enforces weak passwords instead of promote them.
You may have understood it; my biggest problem against the autocomplete=off policies is that they break password managers, which in my opinion are the best tool we have to manage the hell that are passwords. By setting this parameter, you opt out of password management and force the user free to use less optimal management techniques like weak passwords or password sharing.
What to do ? Maybe promote password managers. Let the user decide on the password policy. Do not rely on passwords alone but use strong authentication with hardware devices. Update password managers to ignore autocomplete=off, which may be the case on a few password managers (I tested firefox sync and keepass, they don’t have that functionality).
I will happily read anything you may have to add to this, especially if I’m wrong.