Red Hat Bugzilla – Bug 1468759
The password field in the Satellite 6 login form needs autocomplete disabled
Last modified: 2017-07-10 11:17:20 EDT
Description of problem:
The password field in the Satellite login form has autocomplete turned on. This is a security hole that needs to close.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Login to Satellite 6.y and perform some work.
2. Log off.
3. Log back in again and the password field autocompletes.
The password field autocompletes. I don't have to type in the whole password.
I should have to enter the whole password. Password fields should never autocomplete.
Comment 7 of https://bugzilla.redhat.com/show_bug.cgi?id=1060777 said to open a separate BZ for this bug, since that BZ started as an RFE. That RFE was closed with WontFix in 2014 and reopened this week. The 2017 security environment is more demanding, and now it's a bug and no longer a feature request.
One workaround in https://access.redhat.com/solutions/1602583 suggests turning off autocomplete in the user's browser. Unfortunately, this workaround isn't good enough for auditors who use automation, instead of user browsers, to test this stuff. When the auditing tool sees a password field without autocomplete disabled, it triggers an audit failure and the customer must either come up with an acceptable mitigation or not use Satellite.
The problem triggering this BZ happened with Satellite 5.7. But Satellite 6 also needs autocomplete in the password field turned off.
Setting autocomplete to off is not security best practice, as many browsers will ignore the setting. Using a password manager, on the other hand, is best practice. The automated audit tool which declares this as a security issue is incorrect.
Satellite support various external authentication methods that allow for stronger authentication, such as IdM, which can be used in a security sensitive environment.
And setting the password field - by default - to automatically fill in an incomplete password is an acceptable security practice??
Try an experiment. Make sure your browser is set to not remember passwords. Go visit your favorite banking site. Does the password field autocomplete by default? Now buy a Kindle book from Amazon. Does the password field autocomplete by default? Try the same thing with pretty much any e-commerce website that requires a login.
Obviously, if I tell my browser to remember my password, I deserve the consequences. But to set the password field to autocomplete by default is like purposely stepping in front of a speeding train.
I'll leave this as closed...wontfix since it's not up to me to fix this. I hope you change your mind.