Blog

The Perils of Convenient Field Names

Autocomplete and remembered passwords have now become a staple of every major browser, but this convenience comes at the cost of security. I'm sure we can all see the obvious security issue of saving all our secret passwords so that we don't have to login, but sometimes there are more subtle problems that slip past. Like for instance a "bug" I spied on the PayPal site earlier today.

Having created a new developer account and attempting to login I seemed to have entered the wrong password and couldn't login. No problem, I could just reset the password. When I got to the ubiquitous secret question/answer prompt, I found that FireFox had conveniently remembered the value I had entered into the secret answer field when creating the account. Helpfully, it filled out my answer for me, allowing me to reset my account without having to type a thing. Granted, the only way this could really be exploited is if someone had access to the very same PC I created the account on and its not a glaring security hole, but it is something to think about. Anyone with access to the PC I used need not know my password, they can simply reset the password to something else without even needing to know my answer before-hand (and perhaps in doing so gain knowledge of my answer to every other secret question).

Always remember that, helpful as autocomplete is, it can be a real hole in your flawless security wall if mischievous users can just have your 5-layer password recovery system filled out automatically for an account because you used the same field names as on the account creation form.

Also for the record, I don't use the secret answer in the picture anywhere, I'm just giving an example. I personally think secret questions and answers to be pointless and insecure as they simply allow an alternative means to gain access to an account (why bother with a password when you can find out or guess something much easier with the same result?).

Link to this article | Make a Comment
Tags: Security