Security Basics mailing list archives
Re: Webmail authentication
From: <riscorp () mindspring com>
Date: Fri, 20 Dec 2002 14:57:58 -0500
I may be off base but if the password is requested by an HTML form and you can modify it, then modify it to something like: <INPUT TYPE="password" AUTOCOMPLETE="off"> Someone could use a browser were the AUTOCOMPLETE attribute is disabled but standard browsers appear to support this, at least when I worked this issue a couple of years ago for a bank. WARNING: Any time you send information or a command to a browser, you must assume that the information can be modified or ignored. Therefore, having a corporate policy is also an important step. The above attribute method just pushes people in the right direction. It does not guarantee their behavior. Mark On Fri, 20 Dec 2002 02:46:02 +0800 Michael Boman <michael.boman () securecirt com> wrote:
On Wed, Dec 18, 2002 at 12:28:50PM -0800, David Brown wrote:My company is working on a webmailimplementation, which requires thatthe user authenticate to an NT domain.Regardless of the authenticationmethod, there is always an option in thelogin dialog to 'Save thispassword in your password list', which seemsto be browser driven.I don't want my user population saving theirpasswords to variouscomputers all over the world. Does anyonehave a clue how to remove ordisable this option?No, you can usually not control the client browser. Put a policy in place instead that forbids people to save it in the browser and gives the managment power to inforce disiplenary actions if they break it (not all security problems can be removed with technology). Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT (A SBU of Z-Vance Pte Ltd) http://www.securecirt.com
Current thread:
- Re: Webmail authentication, (continued)
- Re: Webmail authentication mike ryan (Dec 20)
- RE: Webmail authentication Christian Freas (Dec 20)
- Re: Webmail authentication Brian Bruns (Dec 20)
- Re: Webmail authentication Brian Bruns (Dec 20)
- RE: Webmail authentication Anthony, Shayla (Dec 20)
- Re: Webmail authentication Nicole Nicholson (Dec 20)
- Re: Webmail authentication wbjw (Dec 20)
- Re: Webmail authentication Chris Berry (Dec 20)
- RE: Webmail authentication Paul Carroll (Dec 20)
- RE: Webmail authentication Marc Suttle (Dec 20)
- Re: Webmail authentication riscorp (Dec 20)
- Re: Webmail authentication Chris Berry (Dec 20)