Is the "Privacy Violation: Autocomplete" warning really valid?
One of the warnings we got in our scan is the "Privacy Violation: Autocomplete | (Security Features, Content)" warning. It tells us to add an "autocomplete=off" attribute to a password input in one of our forms due to potentially exposing this value. This is the recommendation text from Fortify itself:
Explicitly disable autocompletion on forms or sensitive inputs. By disabling autocompletion, information previously entered will not be presented back to the user as they type. It will also disable the "remember my password" functionality of most major browsers
When we checked this further to understand the problem, we noticed that pretty much all current browsers are outright ignoring this flag on purpose, and instead giving special control to the user if he wants to save his password or not (by detecting the input with the 'password' type).
Comparing what Fortify states, "It will also disable the "remember my password" functionality of most major browsers", with the data we found, this is actually not true.
We also found a discussion where a user was trying to disable autocomplete but IE was ignoring it. Multiple suggestions talk about this being a bad practice and a workaround to a bigger security problem.
Lastly, we checked a few big login pages like google, and even the main Fortify login page, and they are also not adding this attribute to the password inputs.
With all that in mind, is the warning being emitted by Fortify really a valid warning at this point?