Disable Automatic Auto-Fill of Passwords

Associated Risk Factors

The potential security concerns with enabling Automatic Auto-Fill are:

• Secure credential values may be stored in cloud environments,
  
  • This expands the surface area of possible attacks.
  • The security of these storage areas is unknown. They may be less secure than your organization would permit internally.
• Recovery tools can draw out browser stored passwords
• A browser script may be tricked into inserting the stored information into an incorrect location (ie. spoofing).
• Third-party scripts from advertisers, webpages, etc. could pick up and exploit user information (ie. man in the middle)
  • If they have been provided access to execute on the same domain, your organization's own webpages on your own domain, other webpages with various other domain

• Some browser applications identify and offer to store any password-like details. Storing secure personal and employee data in the same directory may violate your jurisction's privacy laws. 

Mitigating Auto-Fill Password Risks

Possible methods of reducing risk to your organization:

• Inform your users to:
  • Never use the "Remember Password" feature on their browsers

  • Move your passwords from Google Chrome to Password Server

Consider locking down browser settings & plugins for your organization:

• Enable and Disable Addons by Administrative Templates or Group Policy
• Chrome: Install Extensions using Group Policy or Master Preferences
• Firefox: An Extension for Centrally Management, another related: reference page
  
  • Config Settings: Modify the preference signon.autofillForms can be set to false to disable autofilling of credentials.
• MacOS: Can use the Server Admin tool.

Recent Industry References:

• Web Trackers Exploit Password Login Managers
• Example Password Attack - Demo Page