Monday, July 12, 2010

Risk associated with auto complete feature

Auto complete can be very useful for some one who has lengthy user name, complex passwords, or some one with too many user accounts and use it so often to switch between accounts/browsers.  It can really be very frustrating to enter the same user name, password, email address again and again. Most of the browsers came up with a handy function called auto complete to remember the login credentials so user do not have to type it often. But looking at security point of view Auto Complete is not secured at all. It is an Security risk that any one other than you who has access to your work station can comprise your login credentials  like password in matter of seconds.
The AutoComplete feature in Internet Explorer, Firefox, Opera and other web browser can save web addresses, form data, different login informationsuch as usernames and passwords, etc. This information will be automatically entered every time you visit the site again. The problem is that all this information will also be automatically entered for anyone else who works at your computer and accesses the same sites. To protect your privacy user must take control of when too use auto complete and when not to depend on the sensitivity of the information and level of trust on securing the work station.
Typically all web browsers and application stores the login credential if you enable the auto complete option. Work station basically stores the passwords in location that are easy to access. Below is the screen shot of where Google chrome stores the password.  Go to options, personal stuff and saved password. Select the site and click the save password option. Browser will then display the password.
This is the same case with Mozila, Google chrome, Chromium, IE, Opera and safari. For users with heavily secured work station and features like account lockout (10 minutes best practice) this may not be a huge issue but for small office and places where user shares his/her work station with others this could be a serious social engineering problem.
So it is important for an average user to understand the security issue behind the auto complete feature and its best to disable to and use it as need arises. Many businesses are also disabling the ability for their computers to store and remember passwords. If a site is accessed where a password is stored it becomes very easy for a third party to investigate online accounts, buying habits and potentially make an online purchase under your name and using your credit information.
Lets look at some of the way to disable auto complete in major browsers.
Disabling auto-complete in Mozila firefox
  1. Select "Tools" then "Internet Options".
  2. Select the "Privacy" tab.
  3. Open "Save form information" category.
  4. Remove the check mark from the "Save information I enter in web page forms and the Search Bar".
  5. Click OK.
How to disable AutoComplete settings in Mozilla
  1. Select "Edit"
  2. Select "Preferences".
  3. Under "Privacy & Security" category, select Forms.
  4. Put check mark for "Save form data from web pages when completing forms"
  5. Click OK.
Disabling auto complete in Google Chrome
  1. Select "Options"
  2. Select "Personal stuff".
  3. Under "Personal stuff" never save passwords.
  4. Under "Under the hoods"clear browsing history.
  5. Under "Under the hoods" un check the option Use suggestion service to help complete the searches in the address bar" for added security.
  6. Click OK.
To disable AutoComplete (disable form AutoComplete, password AutoComplete) in Internet Explorer
  1. Select "Tools"
  2. Select "Internet Options".
  3. Open the "Content" tab.
  4. Under AutoComplete, click "Settings" button.
  5. In "AutoComplete Settings" window select what information your browser will remember - remove check marks from AutoComplete options you don't need (Web Address, Foms, User names and passwords on forms)