PHWinfo - Afficher un message - Website Security - Preventing Users storing their login details intheir browser...

20/02/2008, 19h43

Danish wrote:
> On Feb 18, 2:14 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> Danish wrote:
>>> On Feb 14, 8:01 pm, WindsorFox <darkshado...@gmail.com> wrote:
>>>> Danish wrote:
>>>>> Hi,
>>>>> I'm creating a web based database. The users of the database will
>>>>> complete a login form with User Name and Password.
>>>>> Many browsers offer the user the option of storing their login
>>>>> details. For example: IE asks if you want to store the login details
>>>>> when you click the submit button.
>>>>> I need to know if there anything I can do when I create the login page
>>>>> (which will be generated by a Perl program) which will either prevent
>>>>> the browser from offering this option or prevent the user from
>>>>> accepting it.
>>>>> Any ideas welcome!
>>>>> Nigel
>>>> A site that did that to me I would never use again, but regardless,
>>>> there are ways around it anyway.
>>>> --
>>>> "Yah know I hate it when forces gather in ma' fringe..." - Sheogorath
>>>> "Daytime television sucked 20 years ago,
>>>> and it still sucks today!" - Marc Bissonette- Hide quoted text -
>>>> - Show quoted text -
>>> Hi all,
>>> Thanks for the various advice. I should have made clear that the site
>>> I'm creating is for use only by a company's employees (so they don't
>>> have the choice about whether to use it or not), that they may be
>>> accessing the data from 'public' computers and that the data stored is
>>> of a sensitive nature so security is of high importance.
>>> I take the point about autocomplete making it easier for visitors to
>>> use complex passwords. I already have in mind to expire passwords
>>> after a set period and to enforce a mix of alphabetic and numeric
>>> characters and a minimum length.
>>> Thanks again,
>>> Nigel
>> But that won't stop browsers from storing passwords on those public
>> computers. All it will do is keep the user from reusing the passwords.
>> The password can still be on the computer - and readable by an
>> administrator.
>>
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstuck...@attglobal.net
>> ==================- Hide quoted text -
>>
>> - Show quoted text -
>
> Hi Jerry,
>
> You've got me worried now! Do you know how banks and such like get
> around this security loop-hole?
>
> I'm also wondering how the browser decides if the fields entered
> represent a Login and Password pair.
>
> I'm thinking of using the approach of randomising the two field names
> as suggested by Tony, but would the issue you've referred to still
> apply?
>
> Nigel
>
>

Yes, you can randomize them - but the issue is still there. You can't
control browser behavior.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

20/02/2008, 19h43	#13
Jerry Stuckle Messages: n/a Hébergeur:	Re: Website Security - Preventing Users storing their login detailsin their browser... Danish wrote: > On Feb 18, 2:14 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote: >> Danish wrote: >>> On Feb 14, 8:01 pm, WindsorFox <darkshado...@gmail.com> wrote: >>>> Danish wrote: >>>>> Hi, >>>>> I'm creating a web based database. The users of the database will >>>>> complete a login form with User Name and Password. >>>>> Many browsers offer the user the option of storing their login >>>>> details. For example: IE asks if you want to store the login details >>>>> when you click the submit button. >>>>> I need to know if there anything I can do when I create the login page >>>>> (which will be generated by a Perl program) which will either prevent >>>>> the browser from offering this option or prevent the user from >>>>> accepting it. >>>>> Any ideas welcome! >>>>> Nigel >>>> A site that did that to me I would never use again, but regardless, >>>> there are ways around it anyway. >>>> -- >>>> "Yah know I hate it when forces gather in ma' fringe..." - Sheogorath >>>> "Daytime television sucked 20 years ago, >>>> and it still sucks today!" - Marc Bissonette- Hide quoted text - >>>> - Show quoted text - >>> Hi all, >>> Thanks for the various advice. I should have made clear that the site >>> I'm creating is for use only by a company's employees (so they don't >>> have the choice about whether to use it or not), that they may be >>> accessing the data from 'public' computers and that the data stored is >>> of a sensitive nature so security is of high importance. >>> I take the point about autocomplete making it easier for visitors to >>> use complex passwords. I already have in mind to expire passwords >>> after a set period and to enforce a mix of alphabetic and numeric >>> characters and a minimum length. >>> Thanks again, >>> Nigel >> But that won't stop browsers from storing passwords on those public >> computers. All it will do is keep the user from reusing the passwords. >> The password can still be on the computer - and readable by an >> administrator. >> >> -- >> ================== >> Remove the "x" from my email address >> Jerry Stuckle >> JDS Computer Training Corp. >> jstuck...@attglobal.net >> ==================- Hide quoted text - >> >> - Show quoted text - > > Hi Jerry, > > You've got me worried now! Do you know how banks and such like get > around this security loop-hole? > > I'm also wondering how the browser decides if the fields entered > represent a Login and Password pair. > > I'm thinking of using the approach of randomising the two field names > as suggested by Tony, but would the issue you've referred to still > apply? > > Nigel > > Yes, you can randomize them - but the issue is still there. You can't control browser behavior. -- ================== Remove the "x" from my email address Jerry Stuckle JDS Computer Training Corp. jstucklex@attglobal.net ==================