Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Webmail authentication

From: <riscorp () mindspring com>
Date: Fri, 20 Dec 2002 14:57:58 -0500
I may be off base but if the password is requested by an HTML form and you can
modify it, then modify it to something like:

<INPUT TYPE="password" AUTOCOMPLETE="off">

Someone could use a browser were the AUTOCOMPLETE attribute is disabled but
standard browsers appear to support this, at least when I worked this issue a
couple of years ago for a bank.

WARNING: Any time you send information or a command to a browser, you must
assume that the information can be modified or ignored. Therefore, having a
corporate policy is also an important step. The above attribute method just
pushes people in the right direction. It does not guarantee their behavior.

Mark

On Fri, 20 Dec 2002 02:46:02 +0800 Michael Boman
<michael.boman () securecirt com> wrote:


On Wed, Dec 18, 2002 at 12:28:50PM -0800, David
Brown wrote:

My company is working on a webmail

implementation, which requires that

the user authenticate to an NT domain. 

Regardless of the authentication

method, there is always an option in the

login dialog to 'Save this

password in your password list', which seems

to be browser driven.

I don't want my user population saving their

passwords to various

computers all over the world.  Does anyone

have a clue how to remove or

disable this option?


No, you can usually not control the client
browser. Put a policy in
place instead that forbids people to save it in
the browser and gives
the managment power to inforce disiplenary
actions if they break it
(not all security problems can be removed with
technology).

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT (A SBU of
Z-Vance Pte Ltd)
http://www.securecirt.com
Previous By Date Next
Previous By Thread Next

Current thread: