Bug 1468759 - The password field in the Satellite 6 login form needs autocomplete disabled
The password field in the Satellite 6 login form needs autocomplete disabled
Status: CLOSED WONTFIX
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Users & Roles (Show other bugs)
6.2.10
All All
unspecified Severity urgent (vote)
: Unspecified
: --
Assigned To: satellite6-bugs
Katello QA List
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-07 16:31 EDT by Greg Scott
Modified: 2017-07-10 11:17 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-09 15:15:43 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Greg Scott 2017-07-07 16:31:04 EDT
Description of problem:
The password field in the Satellite login form has autocomplete turned on.  This is a security hole that needs to close.

Version-Release number of selected component (if applicable):
6.y

How reproducible:
At will

Steps to Reproduce:
1. Login to Satellite 6.y and perform some work.
2. Log off.
3. Log back in again and the password field autocompletes.

Actual results:
The password field autocompletes.  I don't have to type in the whole password.

Expected results:
I should have to enter the whole password. Password fields should never autocomplete.

Additional info:

Comment 7 of https://bugzilla.redhat.com/show_bug.cgi?id=1060777 said to open a separate BZ for this bug, since that BZ started as an RFE. That RFE was closed with WontFix in 2014 and reopened this week. The 2017 security environment is more demanding, and now it's a bug and no longer a feature request.

One workaround in https://access.redhat.com/solutions/1602583 suggests turning off autocomplete in the user's browser.  Unfortunately, this workaround isn't good enough for auditors who use automation, instead of user browsers, to test this stuff.  When the auditing tool sees a password field without autocomplete disabled, it triggers an audit failure and the customer must either come up with an acceptable mitigation or not use Satellite.

The problem triggering this BZ happened with Satellite 5.7. But Satellite 6 also needs autocomplete in the password field turned off.
Comment 2 Tomer Brisker 2017-07-09 15:15:43 EDT
Setting autocomplete to off is not security best practice, as many browsers will ignore the setting. Using a password manager, on the other hand, is best practice. The automated audit tool which declares this as a security issue is  incorrect.
Satellite support various external authentication methods that allow for stronger authentication, such as IdM, which can be used in a security sensitive environment.
Comment 3 Greg Scott 2017-07-10 11:17:20 EDT
And setting the password field - by default - to automatically fill in an incomplete password is an acceptable security practice??

Really??

Try an experiment. Make sure your browser is set to not remember passwords. Go visit your favorite banking site. Does the password field autocomplete by default?  Now buy a Kindle book from Amazon.  Does the password field autocomplete by default?  Try the same thing with pretty much any e-commerce website that requires a login.

Obviously, if I tell my browser to remember my password, I deserve the consequences.  But to set the password field to autocomplete by default is like purposely stepping in front of a speeding train.

I'll leave this as closed...wontfix since it's not up to me to fix this.  I hope you change your mind.

Note You need to log in before you can comment on or make changes to this bug.