[jira] [Commented] (DRILL-8391) Set autocomplete="off" on the password field of web UI login forms

Fri, 20 Jan 2023 06:36:30 -0800 


    [ 
https://issues.apache.org/jira/browse/DRILL-8391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17679172#comment-17679172
 ] 

ASF GitHub Bot commented on DRILL-8391:
---------------------------------------

cgivre merged PR #2743:
URL: https://github.com/apache/drill/pull/2743




> Set autocomplete="off" on the password field of web UI login forms
> ------------------------------------------------------------------
>
>                 Key: DRILL-8391
>                 URL: https://issues.apache.org/jira/browse/DRILL-8391
>             Project: Apache Drill
>          Issue Type: Improvement
>          Components: Web Server
>    Affects Versions: 1.20.3
>            Reporter: James Turton
>            Assignee: James Turton
>            Priority: Trivial
>             Fix For: 1.21.0
>
>
> In order to avoid triggering security scanners it is necessary to set 
> autocomplete = "off" on the password field in the web UI login form. This 
> change probably has no real world security benefit because
> {quote}Even without a master password, in-browser password management is 
> generally seen as a net gain for security. Since users do not have to 
> remember passwords that the browser stores for them, they are able to choose 
> stronger passwords than they would otherwise.
> For this reason, many modern browsers do not support {{autocomplete="off"}} 
> for login fields:
> {quote}
> *
>  
> {quote}If a site sets {{autocomplete="off"}} for a 
> [{{<form>}}|https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form], 
> and the form includes username and password input fields, then the browser 
> still offers to remember this login, and if the user agrees, the browser will 
> autofill those fields the next time the user visits the page.
> {quote} * 
> {quote}If a site sets {{autocomplete="off"}} for username and password 
> [{{<input>}}|https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input] 
> fields, then the browser still offers to remember this login, and if the user 
> agrees, the browser will autofill those fields the next time the user visits 
> the page
> {quote}
> Excerpt taken from [this Mozilla Developer Network 
> page|https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion].



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to