Browser prompts to store SSPR login credentials

Document ID:7024177
Creation Date:11-Oct-2019
Modified Date:11-Oct-2019
- Micro Focus Products:
  Self Service Password Reset

Environment

Self Service Password Reset

SSPR 4.x

FireFox v38 or newer

Chrome v34 or newer

Internet Explorer 11

Situation

Browser prompts for saving passwords to the SSPR login page - is this a security vulnerability?

How to prevent FireFox from saving login to SSPR page.

Resolution

This is not a security vulnerability in SSPR. With older brower versions, setting "autocomplete=off" in a web application would prevent the browser from prompting to store credentials. This is no longer the case with modern browsers.

SSPR sets "autocomplete=off" in the login form, but it is up to the browser to honor it. Newer versions of FireFox, chrome and IE don’t honor the tag; they consider it safer to save passwords in their vault which can then be protected using a cert or a master password etc.

To disable the browser from prompting at an organizational level use a Windows Group Policy Object or Linux or MacOS script. For example, see https://github.com/mozilla/policy-templates/blob/master/README.md for instructions on setting a Windows GPO in FireFox.

Additional Information

The change in browsers to not honor autocomplete=off is documented on the Mozilla developer site. See

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields