OpenStack Security Guide Bad Advice for Saved Password
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-manuals |
Fix Released
|
Medium
|
Darren Chan |
Bug Description
On this page: http://
"We recommend that implementers do not change the default password auto complete behavior. Users choose stronger passwords in environments that allow them to use the secure browser password manager. Organizations which forbid the browser password manager should enforce this policy at the desktop level."
This advice is wrong for a couple of reasons:
1) Browser password manager plugins can ignore the directive, and still work. This setting is only for browsers themselves.
2) This setting allows browsers to manage passwords, which is often implemented insecurely.
Generally, this advice is incorrect and should just be left out.
Changed in openstack-manuals: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
assignee: | nobody → Darren Chan (dazzachan) |
Fix proposed to branch: master /review. openstack. org/169191
Review: https:/