It is common practice for security professionals to recommend that a website disable browser autocomple (credential caching) on authentication screens.  For example, OWASP says the following about authentication:

Browser Caching – Authentication and session data should never be submitted as part of a GET, POST should always be used instead. Authentication pages should be marked with all varieties of the no cache tag to prevent someone from using the back button in a user’s browser to backup to the login page and resubmit the previously typed in credentials. Many browsers now support the autocomplete=false flag to prevent storing of credentials in autocomplete caches.

This seems like perfectly valid advice since doing otherwise puts a substantial number of users on shared or public machines at risk.  If I use the same machine account as Chuck and Chuck compulsively clicks “yes” to IE nagging him about caching credentials (btw browser makers, the default answer that a user would compulsively click on should probably err on the side of security), when I use IE and visit a Chuck’s bank website IE will kindly fill in the credentials for me.  This would be bad.  Likewise, if a laptop were ever stolen and the user account on it was easily compromised (for example, the machine was in hibernate and the user didn’t configure Windows to require a password when being restored from hibernate), if autocomplete was used the user’s web credentials would also be compromised.

However some unrelated train of thought has lead me to feel that caching credentials on a private machine may not be such a bad idea, or more precisely that there are positive tradeoffs.  Most people only use at best a couple different credentials, as it is a pain for them to remember the variants and the associated websites (for example, my compulsive differentiation of credentials always comes back to bite me on rarely visited websites, especially since I don’t provide consistent BS answers to what my favorite color is in the forgot password functionality.  I know I didn’t write down a color, but I don’t remember what I did write down).  The problem with only using a limited credential set (and incidentally the problem with single sign on and federated websites) is that if any credential is compromised that will likely allow the threat agent access into many unrelated accounts.  For example, if I only used one or two usernames and a paypal phishing scam bit me, the attacker could very likely log in to my bank, into amazon, and so on with the same credentials (well to be clear, as previously mentioned, I use many passwords, often to my dismay, so on a personal note, the attacker would get very little).

By enabling autocomplete it makes it easier for users to use different credentials on different websites.  The browser can be in charge of remembering all of the variations rather than the user, and if any one credential set was compromised then only one account with one website is affected (unless it happens to be the credentials to your gmail account, where the attacker could just do a search of your email for all of the helpful companies that disclose your password in email).  An idea I have been kicking around is having an “This is a private computer, Enable browser caching of credentials” checkbox (with a corresponding “what’s this” link to explain the risk to users) that when checked sets the form to allow autocomplete.  That way, by default the credentials are not cached but if the user is confident that they can protect their machine they can choose to enable the functionality and thus successfully manage a larger collection of credentials with ease.

Thoughts?

~Joshbw