Absent Member.
Absent Member.

Is the "Privacy Violation: Autocomplete" warning really valid?

One of the warnings we got in our scan is the "Privacy Violation: Autocomplete | (Security Features, Content)" warning. It tells us to add an "autocomplete=off" attribute to a password input in one of our forms due to potentially exposing this value. This is the recommendation text from Fortify itself:


Explicitly disable autocompletion on forms or sensitive inputs. By disabling autocompletion, information previously entered will not be presented back to the user as they type. It will also disable the "remember my password" functionality of most major browsers

When we checked this further to understand the problem, we noticed that pretty much all current browsers are outright ignoring this flag on purpose, and instead giving special control to the user if he wants to save his password or not (by detecting the input with the 'password' type).

CanIUse reference for 'autocomplete'

Comparing what Fortify states, "It will also disable the "remember my password" functionality of most major browsers", with the data we found, this is actually not true.

We also found a discussion where a user was trying to disable autocomplete but IE was ignoring it. Multiple suggestions talk about this being a bad practice and a workaround to a bigger security problem.

Lastly, we checked a few big login pages like google, and even the main Fortify login page, and they are also not adding this attribute to the password inputs.

With all that in mind, is the warning being emitted by Fortify really a valid warning at this point?

Labels (1)
0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.