Not completely related but:

MSIE 5.x offers a lot of new features for browsing content offline, and remembering form input and passwords. This of course makes life much more difficult from a security perspective since by default when you enter username and password (using HTTP) it prompts you if you wish to save them, many people will, or worse yet public access machines might. The next time you go to that page it automatically logs you in. In addition to this there is a feature to remember form input, so even if you secure the pages via a CGI there is a good chance the username and password put into the form will be remembered. Users at home, and users of public terminals (libraries, kiosks, etc.) have to assume that these "features" are enabled. This rules out the usage of HTTP based authentication (typically used to secure directories), since there is a good chance it will be cached, and there is no work around available for it. Using forms to accept data, and a CGI program to process the input and grant/deny access is a better solution, even though MSIE can cache form input, there is a better chance this feature will be disabled, and if not there is a work around. You can disable this in the form by putting: "AUTOCOMPLETE="OFF"" in the form tag, such as:

<FORM method=post action="submit.asp" AUTOCOMPLETE="OFF">

Kurt Seifried, seifriedsecurityportal.com
Securityportal - your focal point for security on the 'net

  ----- Original Message -----
  From: NDR113
  To: FOCUS-MSSECURITYFOCUS.COM
  Sent: Tuesday, April 17, 2001 6:12 PM
  Subject: autocomplete passwords

  Where Windows store the passwords and username that the "auto-complete" feature of IE implement?I was looking for there on some registry key, but after a while i stop searching... anyone knew it where they are?

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]