3

I have been helping out some people with their computers and repairing them. One of these people asked me about the safety of storing passwords in the auto form field. I showed them a quick trick on how you can retrieve the password from a simple jQuery call in the console. While working on some websites, I have been trying to figure out a way of preventing the use of this trick to find out what the saved password is.

To understand what im talking about if you dont know, try the following.

  1. Navigate to a website with jquery (or jquerify the site) and either have auto form fill in turned on or fill in the password field.
  2. inspect element to show the password id field or some way to call the field with jquery
  3. in console run something like $('#password').val() and watch the password show up.

I am wondering if there is some way for me as a web developer to prevent the use of this on my site but still allow the use of it for getting the value of the field within the site code.

Thanks.

EDIT

From facebook with login autofilled out (blacked out for security)

enter image description here

and then after jquerifying the page and running the $jq('#pass').val() in console without changing anything (password blacked for security)

enter image description here

USE CASE

User 1 is on public computer, they allow the browser to save login info

User 1 leaves, User 2 goes to same site. browser auto fills in login info

User 2 runs the command and gains access to the password

bretterer
  • 5,693
  • 5
  • 32
  • 53
  • 3
    That would only show you the password you just typed in, as it's on the clientside, and is'nt really a security risk as you probably know what you just typed in the box anyway ? You can't really see what anyone else did on some other computer, but you could of course see what someone else has in the autofill settings, but that's not really your problem as it's up to the user to protect their private computer, not you. – adeneo Aug 17 '12 at 20:35
  • oh but it is a little bit.... if you are on a computer that is shared (which is where my site is usually used) I would like to have some script on my site that prevents this from happening. if you have an auto filled password field from a previous user, the next user could do this trick to find the password out – bretterer Aug 17 '12 at 20:36
  • It will only show you the value of the current browser session input field(password) – Philip Aug 17 '12 at 20:36
  • Unless you can control your users, you can't stop them from doing this. – jrummell Aug 17 '12 at 20:39
  • Right... I didnt know if there was a script that could prevent a user from getting access to values of password fields in the console – bretterer Aug 17 '12 at 20:40
  • 1
    You can use the autocomplete attribute on your form element to turn off autofill. (some details here: http://stackoverflow.com/questions/582244/is-there-a-w3c-valid-way-to-disable-autocomplete-in-a-html-form?answertab=votes#tab-top) although it sounds like your mileage may vary on older browsers. – MichaC Aug 17 '12 at 20:49

2 Answers2

5

Short answer: no. Logically, there's no way to remove ability to access the data in this field and preserve functionality of autofill. The value of the password box is the password, and that's what you want to submit. You would either have to disable autofill to properly stop this from happening.

However...

You might be able to hide the value, by getting the value out of your password input box and blanking it with .val(""). Then submit the variable that stores the value instead of the contents in the box on submit. If you shrink your script using one of many tools out there that obfuscates variable names, it would be slightly more difficult (though certainly not impossible) to find the value. You could get more and more crazy by encrypting the value and decrypting it, but at the end of the day all the keys to get the password would have to be in the script so that the script itself could access it in the proper time. You'd stop the few cases where someone gave it a shot, but not a dedicated person.

You would also have to keep in mind all the following caveats:

  • You would have to be sure to only submit your password variable if the user does not change what it is. If the user updates the info in their password box, you'd want to submit that instead. With a tool like knockout.js you might be able to continuously get and hide whatever the user types into that box, but it would be another layer of complication

  • You would want it to be clear to the user what is going on. If their password box was suddenly blank, most users would be very confused.

Let's be realistic though. If a "hacker" has direct access to someone's computer, and they want the password, they're going to get it. They have a thousand other ways of getting to the password first before tapping into your javascript (keylogger, standing behind them as they type, packet sniffer if you're not using HTTPS or encrypting your data, hitting them with a blunt object, etc.) There's an XKCD strip about this somewhere. Edit: Found it :)

Nick
  • 8,964
  • 4
  • 26
  • 37
0

You can simply disable the autocomplete, so that password is not stored in the input field.

input type="password" autocomplete="off"

Priyanshu Jindal
  • 791
  • 5
  • 3