[Info-vax] OT: Autocomplete username/password
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed May 13 08:51:04 EDT 2015
On 2015-05-13 11:40:34 +0000, pieter.spoelstra at portavita.nl said:
> I've red the bug discussion, but I don't understand it.
This change allows the Firefox password manager to function for more
cases. While a few folks believe that password mangers are bad and
that their particular passwords are special snowflakes
<http://kb.mozillazine.org/User_name_and_password_not_remembered>, the
general consensus is that password managers are necessary for most
folks to administer their increasing plethora of passwords, and a key
part of allowing most end-users to select and generate and use much
more secure and per-site passwords. Yes, this does mean that there's a
local data store of passwords around, and that's certainly occasionally
at risk. However, if that local password store is compromised, then
the attacker can probably also just scrape the password input or can
otherwise insinuate their code into security-critical paths.
Now if you might wish to learn about or even debate the particular
implementation of some password manager, I'd suggest discussing that
directly with the particular provider; with the Mozilla folks for the
Firefox-integrated password manager, or with Apple for Keychain
<https://en.wikipedia.org/wiki/Keychain_(software)> and with the folks
at VSI for... oops, nevermind OpenVMS doesn't have a password manager,
nor does it have a secure store for user certificates. On OpenVMS and
other systems that lack password management, it's all left up to the
application programmers.
> Where's the safety in this, allowing autocomplete as default. Currently
> I'm working in a project where 2 factor authentication is introduced.
> So if username and password is simplified by autocomplete, it make 2FA
> weaker.
If your <https://en.wikipedia.org/wiki/Two_factor_authentication>
(increasingly 2FA is a key part of
<https://en.wikipedia.org/wiki/Targeted_advertising>, but I digress) is
subject to what amounts to a
<https://en.wikipedia.org/wiki/Replay_attack> due to
<https://en.wikipedia.org/wiki/Autofill> from the user's
<https://en.wikipedia.org/wiki/Password_manager> (which helps avoid
<https://en.wikipedia.org/wiki/Password_fatigue>), then you might want
to rethink your <https://en.wikipedia.org/wiki/Authentication> and
<https://en.wikipedia.org/wiki/Identity_management> design, and maybe
use a <https://en.wikipedia.org/wiki/Random_number_generation> and/or
<https://en.wikipedia.org/wiki/Security_token>.
TL;DR: your 2FA almost certainly won't be returning the same value for
each query, so there won't be anything for the password manager to
replay — even if a booted and running and unlocked laptop with a
currently-unlocked password manager database is stolen, the 2FA tokens
are architected time out too quickly, and the 2FA usually involves a
second and separate communications path (e.g. SMS) or separate widget
(e.g. <https://www.yubico.com> token key, etc) which would also have to
be acquired for access, prior to your IT being notified an locking out
the access.
I've been pondering offering a security-related session at the next boot camp.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list