[Info-vax] OT: Autocomplete username/password

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Wed May 13 08:51:04 EDT 2015


On 2015-05-13 11:40:34 +0000, pieter.spoelstra at portavita.nl said:

> I've red the bug discussion, but I don't understand it.

This change allows the Firefox password manager  to function for more 
cases.  While a few folks believe that password mangers are bad and 
that their particular passwords are special snowflakes 
<http://kb.mozillazine.org/User_name_and_password_not_remembered>, the 
general consensus is that password managers are necessary for most 
folks to administer their increasing plethora of passwords, and a key 
part of allowing most end-users to select and generate and use much 
more secure and per-site passwords.  Yes, this does mean that there's a 
local data store of passwords around, and that's certainly occasionally 
at risk.  However, if that local password store is compromised, then 
the attacker can probably also just scrape the password input or can 
otherwise insinuate their code into security-critical paths.

Now if you might wish to learn about or even debate the particular 
implementation of some password manager, I'd suggest discussing that 
directly with the particular provider; with the Mozilla folks for the 
Firefox-integrated password manager, or with Apple for Keychain 
<https://en.wikipedia.org/wiki/Keychain_(software)> and with the folks 
at VSI for... oops, nevermind OpenVMS doesn't have a password manager, 
nor does it have a secure store for user certificates.  On OpenVMS and 
other systems that lack password management, it's all left up to the 
application programmers.

> Where's the safety in this, allowing autocomplete as default. Currently 
> I'm working in a project where 2 factor authentication is introduced. 
> So if username and password is simplified by autocomplete, it make 2FA 
> weaker.

If your <https://en.wikipedia.org/wiki/Two_factor_authentication> 
(increasingly 2FA is a key part of 
<https://en.wikipedia.org/wiki/Targeted_advertising>, but I digress) is 
subject to what amounts to a 
<https://en.wikipedia.org/wiki/Replay_attack> due to 
<https://en.wikipedia.org/wiki/Autofill> from the user's 
<https://en.wikipedia.org/wiki/Password_manager> (which helps avoid 
<https://en.wikipedia.org/wiki/Password_fatigue>), then you might want 
to rethink your <https://en.wikipedia.org/wiki/Authentication> and 
<https://en.wikipedia.org/wiki/Identity_management> design, and maybe 
use a <https://en.wikipedia.org/wiki/Random_number_generation> and/or 
<https://en.wikipedia.org/wiki/Security_token>.


TL;DR: your 2FA almost certainly won't be returning the same value for 
each query, so there won't be anything for the password manager to 
replay — even if a booted and running and unlocked laptop with a 
currently-unlocked password manager database is stolen, the 2FA tokens 
are architected time out too quickly, and the 2FA usually involves a 
second and separate communications path (e.g. SMS) or separate widget 
(e.g. <https://www.yubico.com> token key, etc) which would also have to 
be acquired for access, prior to your IT being notified an locking out 
the access.

I've been pondering offering a security-related session at the next boot camp.


-- 
Pure Personal Opinion | HoffmanLabs LLC




More information about the Info-vax mailing list