Bug 1468759
Summary: | The password field in the Satellite 6 login form needs autocomplete disabled | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Greg Scott <gscott> |
Component: | Users & Roles | Assignee: | satellite6-bugs <satellite6-bugs> |
Status: | CLOSED WONTFIX | QA Contact: | Katello QA List <katello-qa-list> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2.10 | CC: | dhlavacd, mhulan, tbrisker |
Target Milestone: | Unspecified | ||
Target Release: | Unused | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-07-09 19:15:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Greg Scott
2017-07-07 20:31:04 UTC
Setting autocomplete to off is not security best practice, as many browsers will ignore the setting. Using a password manager, on the other hand, is best practice. The automated audit tool which declares this as a security issue is incorrect. Satellite support various external authentication methods that allow for stronger authentication, such as IdM, which can be used in a security sensitive environment. And setting the password field - by default - to automatically fill in an incomplete password is an acceptable security practice?? Really?? Try an experiment. Make sure your browser is set to not remember passwords. Go visit your favorite banking site. Does the password field autocomplete by default? Now buy a Kindle book from Amazon. Does the password field autocomplete by default? Try the same thing with pretty much any e-commerce website that requires a login. Obviously, if I tell my browser to remember my password, I deserve the consequences. But to set the password field to autocomplete by default is like purposely stepping in front of a speeding train. I'll leave this as closed...wontfix since it's not up to me to fix this. I hope you change your mind. |