UsingWW: Setting login form autocomplete to off

Hi,

Our monthly scans of our site by the Department of Homeland Security's CISA flag us on our WeBWorK site for issues with the login form having the autocomplete=on for the admin and currently available courses' login form.

The report shows the following:

The following password field(s) in the form do not set autocomplete="off":
(Field name: passwd Field id: pswd)

I generally enjoy a challenge, but this has proven to be a challenge that is greater than what I am currently capable of.

I updated our server to the current version (2.18) yesterday in hopes of it having autocomplete set to off by default. When looking at the properties of the form in the browser's developer tools though, it appears autocomplete is still on.

I'd be very grateful if someone could give me some ideas or instructions on how the setting can be changed to autocomplete=off, if it can be done?

Thanks!

Chuck

Re: Setting login form autocomplete to off

by Glenn Rice - Tuesday, 5 December 2023, 4:55 PM

That is an invalid report. See https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion. Most modern browser's do not support setting autocomplete="off" on fields in a login form, and they all should not support that.

Note that WeBWorK does not set autocomplete="on" for those fields. So if you are seeing it, then that is the browser adding it. You can't stop that.

Re: Setting login form autocomplete to off

by Andras Balogh - Tuesday, 5 December 2023, 5:34 PM

I used to get many invalid reports and I thank the WeBWorK developers for helping to sift through them.

Instead of arguing with them is it possible that in this case the the IT would be happy with a useless autocomplete="off" setting?

Re: Setting login form autocomplete to off

by Alex Jordan - Tuesday, 5 December 2023, 7:49 PM

I can confirm that with Firefox on MacOS, I have a course where when I start typing in the username field, it prompts me with "alexjordan" in a dropdown style menu. (This is actually annoying because my username is something else, but one time I mistyped it and this is what it remembers.)

If I add `autocomplete="off"` to the form (just editing the DOM in the developer tools), it no longer does this. And then if I remove that, it returns to the original behavior.

Aside from revealing a username that should maybe not be revealed, a thing that can happen is a person types too quickly without looking at the screen:
username[doesn't hit tab hard enough]password[enter]
and the password could find its way into storage to later be revealed.

Re: Setting login form autocomplete to off

by Andras Balogh - Tuesday, 5 December 2023, 8:52 PM

Based on the link Glenn sent and based on my experience it is also about browser settings that can override the page source.
Firefox v 120.0.1 on my Mac happily autocompletes both my (correct) login name and password on our Blackboard login page that has autocomplete="off" both for username and password.

But whatever makes IT happy.

Re: Setting login form autocomplete to off

by Glenn Rice - Tuesday, 5 December 2023, 10:48 PM

Most browser's will offer to autocomplete the username and password regardless of if those inputs have the autocomplete="off" set on them or not. They also will only remember a username and password if you explicitly tell them to do so (they will prompt you and ask to save the username and password). If you are on a public computer, you should of course never tell the browser to save the username and password. If you mistype and enter an invalid username or password (or don't hit tab hard enough and start typing your password into the username input and hit enter), then you also should not tell the browser to save the username and password. You can also remove a username and password from what is saved if you want to do so. If you are being prompted with a username that is invalid, then you should do that.

Both Firefox and Google chrome do what I have described. I don't know of any modern browsers that don't.

I have tried adding autocomplete="off" both in the code so that it is there when the page loads, and via the developer tools in the browser. In neither case does this disable the behavior I have described above.

As stated on the MDN page that I linked before, this behavior is considered MORE secure than having autocomplete="off" actually honored by the browser. The reason is that it allows users to create stronger passwords that they do not need to remember.

Re: Setting login form autocomplete to off

by Chuck Johnson - Wednesday, 6 December 2023, 1:53 PM

Hi Glenn,

Thank you for your detailed response.

I just had a conversation with my boss regarding the setting. He said as long as we have a record of the issue and its status, it should be OK.

I don't know what tool DHS - CISA uses, but it obviously looks at the autocomplete setting. I would hope they would know about browsers not honoring the setting, but it makes me curious then why they flag it as an issue.

I did find a webpage that states that if the autocomplete tag is not included, it is assumed that it is on. Not that don't already know this, but just for completeness: https://www.invicti.com/blog/web-security/impact-autocomplete-feature-web-security/. I also found a site discussing best practices for login forms. The recommendation on that site is to use autocomplete="current-password" for sign-in forms and autocomplete="new-password" for new and reset password forms: https://web.dev/articles/sign-in-form-best-practices and https://www.chromium.org/developers/design-documents/form-styles-that-chromium-understands/.

At any rate, thank you for your time and explanation, I truly appreciate it!

Chuck

Re: Setting login form autocomplete to off

by Alex Jordan - Tuesday, 5 December 2023, 5:32 PM

Here is a course on my institution's WW site, version 2.18.

https://webwork.pcc.edu/webwork2/abe0787-sandbox

If I search for `autocomplete` using Firefox developer tools, I don't find anything. I don't see it in the input fields.

Is your site public? If you are seeing `autocomplete` at your site, can you share a page address and we could see if we see that too there?

Re: Setting login form autocomplete to off

by Andras Balogh - Tuesday, 5 December 2023, 5:38 PM

I see autocomplete="off" on our Blackboard login page, for example.
I am at a different site, but I am interested in these issues because I used to spend a lot of time fighting with our IT.

Re: Setting login form autocomplete to off

by Alex Jordan - Tuesday, 5 December 2023, 6:44 PM

Sorry, I misunderstood. I get it now that the issue you are reporting is the absence of `autocomplete="off"`, not the presence of `autocomplete="on"`

Using WeBWorK

WeBWorK Main Forum

Setting login form autocomplete to off

Setting login form autocomplete to off

Re: Setting login form autocomplete to off

Re: Setting login form autocomplete to off

Re: Setting login form autocomplete to off

Re: Setting login form autocomplete to off

Re: Setting login form autocomplete to off

Re: Setting login form autocomplete to off

Re: Setting login form autocomplete to off

Re: Setting login form autocomplete to off

Re: Setting login form autocomplete to off