openstack-manuals

OpenStack Security Guide Bad Advice for Saved Password

Bug #1438418 reported by Travis McPeak
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-manuals
Fix Released
Medium
Darren Chan

Bug Description

On this page: http://docs.openstack.org/security-guide/content/dashboard.html#dashboard-basic-web-server-configuration , in the password autocomplete option section, the guidance says:

"We recommend that implementers do not change the default password auto complete behavior. Users choose stronger passwords in environments that allow them to use the secure browser password manager. Organizations which forbid the browser password manager should enforce this policy at the desktop level."

This advice is wrong for a couple of reasons:

1) Browser password manager plugins can ignore the directive, and still work. This setting is only for browsers themselves.
2) This setting allows browsers to manage passwords, which is often implemented insecurely.

Generally, this advice is incorrect and should just be left out.

Tags: sec-guide
Darren Chan (dazzachan)
Changed in openstack-manuals:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Darren Chan (dazzachan)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to security-doc (master)

Fix proposed to branch: master
Review: https://review.openstack.org/169191

Changed in openstack-manuals:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to security-doc (master)

Reviewed: https://review.openstack.org/169191
Committed: https://git.openstack.org/cgit/openstack/security-doc/commit/?id=d4096a20508cc2b25c146eb68a347423d74af991
Submitter: Jenkins
Branch: master

commit d4096a20508cc2b25c146eb68a347423d74af991
Author: daz <email address hidden>
Date: Tue Mar 31 17:45:10 2015 +1100

    Removed the password autocomplete section

    Removed the password autocomplete section in the security guide. See the bug for details.

    Change-Id: I4808da42883dfba8fa012152d4b1910dafe37df8
    backport: none
    Closes-bug: #1438418

Changed in openstack-manuals:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.