Nessus: Web Server Allows Password Auto-Completion
Closed this issue · 2 comments
Nessus security scans flag the login pages with the following low severity alert:
Nessus Plugin ID 42057
Synopsis
The 'autocomplete' attribute is not disabled on password fields.
Description
The remote web server contains at least one HTML form field that has an input of type 'password' where 'autocomplete' is not set to 'off'.
While this does not represent a risk to this web server per se, it does mean that users who use the affected forms may have their credentials saved in their browsers, which could in turn lead to a loss of confidentiality if any of them use a shared host or if their machine is compromised at some point.
Solution
Add the attribute 'autocomplete=off' to all password fields to prevent browsers from caching credentials.
See Tenable's page at https://tenable.com/plugins/nessus/42057
I don't think this is something we're likely to change.
For one thing, last I remember, major browsers don't even respect autocomplete=off on password inputs.
Thank you. That is what I expected but I am required to follow up on all of the security reports.