Deprecation of password_autocomplete
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Guide Documentation |
New
|
Undecided
|
Unassigned |
Bug Description
Currently, Horizon tries to prevent browsers' username/password auto-completion by default.
https:/
However, modern browsers have become more eager to auto-fill forms as a net gain[1] while preventing users' secret from filled in insecure forms[2]. In the circumstances, blocking auto-filling does not offer much security gains. It's time to deprecate the "password_
To address the point in the security guide[3], the flaw described there exists regardless of the value of password_
[1] https:/
> Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.
>
> For this reason, many modern browsers do not support autocomplete="off" for login fields
[2] https:/
> Autofill is also disabled on insecure login forms
[3] https:/
> it introduces a flaw, as the user account becomes easily accessible to anyone that uses the same account on the client machine