Browsers will sometimes ask a user if they wish to remember the password that they just entered. The browser will then store the password, and automatically enter it whenever the same authentication form is visited. This is a convenience for the user. Additionally some websites will offer custom "remember me" functionality to allow users to persist log ins on a specific client system.
Having the browser store passwords is not only a convenience for end-users, but also for an attacker. If an attacker can gain access to the victim's browser (e.g. through a Cross Site Scripting attack, or through a shared computer), then they can retrieve the stored passwords. It is not uncommon for browsers to store these passwords in an easily retrievable manner, but even if the browser were to store the passwords encrypted and only retrievable through the use of a master password, an attacker could retrieve the password by visiting the target web application's authentication form, entering the victim's username, and letting the browser to enter the password.
- While logging in, make sure you allow the browser to save the password.
- Observe the login page upon logout and note that the current password field is already filled in with the saved password due to password autocomplete enabled.
- As a best practice, do not have Autocomplete enabled by default.
- To prevent browsers from storing credentials entered into HTML forms, include the attribute autocomplete=" off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
- Please note that modern web browsers may ignore this directive. In spite of this, there is a chance that not disabling autocomplete may cause problems obtaining PCI compliance.