Disable Automatic Auto-Fill of Passwords
Many modern browsers/browser plugins have features to automatically fill-in user passwords without user involvement, saving them in the browser or in the cloud. From a security standpoint we recommend disabling these types of features in your environment.
Automatic Auto-fill can retrieve and inputs passwords without any human interaction (i.e. a human first initiating the action and selecting the target field).
In its place we would recommend using Auto-Type, which can be used with the MacOS client and KeePass for Pleasant Password Server. Auto Type requires user input to place credentials in a field, rather then doing so automatically in a field which may be compromised or spoofed.
Associated Risk Factors
The potential security concerns with enabling Automatic Auto-Fill are:
- Secure credential values may be stored in cloud environments,
- This expands the surface area of possible attacks.
- The security of these storage areas is unknown. They may be less secure than your organization would permit internally.
- Recovery tools can draw out browser stored passwords
- A browser script may be tricked into inserting the stored information into an incorrect location (ie. spoofing).
- Third-party scripts from advertisers, webpages, etc. could pick up and exploit user information (ie. man in the middle)
- If they have been provided access to execute on the same domain, your organization's own webpages on your own domain, other webpages with various other domain
- Some browser applications identify and offer to store any password-like details. Storing secure personal and employee data in the same directory may violate your jurisdiction's privacy laws.
Mitigating Auto-Fill Password Risks
Possible methods of reducing risk to your organization:
- Inform your users to:
- Never use the "Remember Password" feature on their browsers
- Move your passwords from Google Chrome to Password Server
Consider locking down browser settings & plugins for your organization:
- Enable and Disable Addons by Administrative Templates or Group Policy
- Chrome: Install Extensions using Group Policy or Master Preferences
- Firefox: An Extension for Centrally Management, another related: reference page
- Config Settings: Modify the preference signon.autofillForms can be set to false to disable auto-filling of credentials.
- MacOS: Can use the Server Admin tool.