Bug 1468759 - The password field in the Satellite 6 login form needs autocomplete disabled
Summary: The password field in the Satellite 6 login form needs autocomplete disabled
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.2.10
Hardware: All
OS: All
unspecified
urgent
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-07 20:31 UTC by Greg Scott
Modified: 2021-09-09 12:25 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-07-09 19:15:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Greg Scott 2017-07-07 20:31:04 UTC 
Description of problem:
The password field in the Satellite login form has autocomplete turned on.  This is a security hole that needs to close.

Version-Release number of selected component (if applicable):
6.y

How reproducible:
At will

Steps to Reproduce:
1. Login to Satellite 6.y and perform some work.
2. Log off.
3. Log back in again and the password field autocompletes.

Actual results:
The password field autocompletes.  I don't have to type in the whole password.

Expected results:
I should have to enter the whole password. Password fields should never autocomplete.

Additional info:

Comment 7 of https://bugzilla.redhat.com/show_bug.cgi?id=1060777 said to open a separate BZ for this bug, since that BZ started as an RFE. That RFE was closed with WontFix in 2014 and reopened this week. The 2017 security environment is more demanding, and now it's a bug and no longer a feature request.

One workaround in https://access.redhat.com/solutions/1602583 suggests turning off autocomplete in the user's browser.  Unfortunately, this workaround isn't good enough for auditors who use automation, instead of user browsers, to test this stuff.  When the auditing tool sees a password field without autocomplete disabled, it triggers an audit failure and the customer must either come up with an acceptable mitigation or not use Satellite.

The problem triggering this BZ happened with Satellite 5.7. But Satellite 6 also needs autocomplete in the password field turned off.
Comment 2 Tomer Brisker 2017-07-09 19:15:43 UTC 
Setting autocomplete to off is not security best practice, as many browsers will ignore the setting. Using a password manager, on the other hand, is best practice. The automated audit tool which declares this as a security issue is  incorrect.
Satellite support various external authentication methods that allow for stronger authentication, such as IdM, which can be used in a security sensitive environment.
Comment 3 Greg Scott 2017-07-10 15:17:20 UTC 
And setting the password field - by default - to automatically fill in an incomplete password is an acceptable security practice??

Really??

Try an experiment. Make sure your browser is set to not remember passwords. Go visit your favorite banking site. Does the password field autocomplete by default?  Now buy a Kindle book from Amazon.  Does the password field autocomplete by default?  Try the same thing with pretty much any e-commerce website that requires a login.

Obviously, if I tell my browser to remember my password, I deserve the consequences.  But to set the password field to autocomplete by default is like purposely stepping in front of a speeding train.

I'll leave this as closed...wontfix since it's not up to me to fix this.  I hope you change your mind.
Note You need to log in before you can comment on or make changes to this bug.