Security issues in 'Remember Me' feature

Paladion
By Paladion

March 15, 2006

Most web sites that deal with sensitive personal information of users, require them to authenticate themselves with valid usernames and passwords. If the login credentials contain long digit card numbers or a series of complex passwords, users often find it difficult to remember the credentials. Thus they turn to the browser to help them remember login credentials. Let's take the security issues that arise due to this feature.

Remember Me

Most web sites that deal with sensitive personal information of users, require them to authenticate themselves with valid usernames and passwords. If the login credentials contain long digit card numbers or a series of complex passwords, users often find it difficult to remember the credentials. Thus they turn to the browser to help them remember login credentials.

There are two ways by which the browser can be instructed to remember login details.

Through the website's "Remember my login" option

The implementation through the application generally requires users to select a checkbox, which in turn saves a special cookie containing a unique authentication token (think of it as a marker) that is unique to the user. When the user returns to the website, the details in the cookie identifies the user as being user so-and-so and logs the user into the application. The information in the cookie is for the application to understand and should not contain any sensitive   information like passwords that other users can read. It's similar to a supermarket handing a membership card. By loading that number, they know it is user so-and-so using the card, since no one else has that number.

Through the built-in feature of the browser

All modern browsers have a built-in feature of storing user login credentials and are enabled by default. Browser saves the login name and password details after encrypting or encoding it on the hard drive, and fills the fields on accessing the same Web page again.

Let us consider two of the widely used browser categories, Internet Explorer and Mozilla (Netscape is very much similar in implementation to Mozilla) to see how they actually deal with the acquired details.

Internet Explorer

Internet Explorer remembers passwords through the Autocomplete feature. If a user chooses "Yes", when the browser prompts with a dialog to save password, the browser stores these usernames and passwords in Microsoft Protected Storage. Microsoft Protected Storage stores the usernames and passwords in a set of registry keys. The password is stored at the SPW key which stands for Saved PassWords . The location is:

HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerIntelliFormsSPW

In the right hand pane of the SPW key, all the saved AutoComplete controlled passwords are stored. However, it cannot be recognized as they are encrypted, looking something like this:

IntelliForms SPW

An interesting fact is , it makes no difference whether the user chooses YES or NO. The password is saved at the SPW key regardless of the choice. Saving the password is not the same as remembering it for Windows. When the user clicks NO, the password has to exist so that Windows will know what action to take with it (offer to remember it or not). Also encrypted passwords and Autocomplete information can be easily decrypted by using special password revealing utilities like Advanced Password Recovery for IE, IE Password Revealer, IE Key (password recovery for content advisor) and several others.

To disable password saving in Internet Explorer:

  • Launch Internet Explorer.
  • Select Tools → Internet Options → Content.
  • Under Personal information, click on AutoComplete.
  • To stop password saving, uncheck "User names and passwords on forms".
  • To clear all existing saved usernames and passwords, click on Clear Passwords, then click OK in the warning dialog box.

Mozilla

Mozilla remembers passwords through the Password manager. If a user chooses "Yes" when the browser prompts with a dialog to save password, Password Manager saves the user names and passwords in a file. This file is difficult but not impossible, for an intruder to read.

The location of the file is:

In Windows 2000 and Windows XP:

C:Documents and Settings[Windows Login Name]Application DataMozillaFirefoxProfiles[random string].default([random string].s in Mozilla), [ signons.txt in Mozilla Firefox]

In Linux:

~/.mozilla/[Mozilla Profile Name]/[random string].slt /[random string].s

This is the file containing your login information. Open it in a text editor. There will be a block of text which looks like this:

http://bugzilla.mozilla.org
Bugzilla_login
~ZW1haWxhZHJlc3NAZG9tYWluLmNvbQ==
* Bugzilla_password
~UGFzc3dvcmQ=
.

The first line is the URL of the site for which the login credentials are being stored. The third and fifth lines are the username information and password data, which is stored in an encoded format. The final line is a period, which tells Mozilla that it has reached the end of stored information for that website. Additionally, a user can choose to encrypt the stored data by setting a master password in Mozilla's Password manager. With encryption selected, a user will be asked for the master password at least once during a browser session in which any of the stored sensitive information is accessed.

The stored passwords can be viewed by navigating to Mozilla Firefox's Password manager and choosing Show passwords. If a master password is set, the user will be prompted to enter it before displaying the stored credentials

To disable password saving in Mozilla Firefox on Windows:

  • Launch Mozilla Firefox .
  • Open the Tools menu and choose options.
  • From the Privacy category, choose Passwords tab.
  • Deselect "Remember passwords" to turn Password Manager off.

To disable password saving in Mozilla on linux .

  • Launch Mozilla.
  • Select Edit → Preferences.
  • Under Category, expand Privacy & Security, then select Passwords.
  • Deselect "Remember passwords" to turn Password Manager off.

Remembering login credentials on the client machine is safe as long as the user is the only person having access to the computer. However, in a shared computing environment, neither of the above (Remembering passwords through application and Remembering passwords through browser feature ) is technically secure. Any one who has physical access to the target user's computer can get into those websites or steal the login credentials.

Preventive Measures

For "Remember My Login" implementation through extensive use of cookies, ensure that the authentication details stored to identify the user for future logins does not contain the actual username and password in plaintext.

A browser on the other hand can be told not to pop up "Remember password" dialog box by sending the following in any sensitive input fields, such as usernames, passwords, password re-validation, credit card numbers, and so on:

  <form AUTOCOMPLETE="off"> 	- 	for all form fields
<input AUTOCOMPLETE="off"> - for just one field

This indicates to most browsers not to store that field in the password management feature. It is only a polite suggestion to the browser, and not every browser supports this tag. A complementary technique is to change the form URL or input names.

Browsers use different methods of deciding when to fill-in a saved name and password.   Internet Explorer uses the form page URL. It will provide name and password Autocomplete whenever that URL is displayed even if the form input names are different. Mozilla uses the web host name and the form input names, fill-in is done whenever the URL contains the saved host name and the saved input names are identical. Secure sites may need to alter both the URL and the form input names in addition to using AUTOCOMPLETE="off" to defeat password save and AutoComplete/fill-in.

In applications that allow password remembering feature, it is advisable to have a message, warning users about the insecurities involved in a shared computer.

Conclusion

The very reason for the implementation of "Remember Me" feature is for the user's convenience. There is no harm if the user is the only person accessing the application through his computer. In such a situation, the user might be willing to take advantage of password managers. Forcing users not to save passwords even if they think it is safe will only cause user inconvenience. Moreover there are known workarounds For E.g. Small JavaScript snippets that allows browser to override website requests not to remember passwords. The entire idea of security is balancing risk vs. convenience. Password managers increase convenience, but also increase risk by offering a central location to lose ALL of the passwords at once in a shared computer.

Incidentally the Plynt certification standard specifies two criteria related to "Remember Me" implementation in applications. They are:

Plynt certification criteria no. 16

Warning required for "Remember Me": If the application provides a "Remember Me" feature, it must warn the user against enabling while using shared computers to access the application.

Plynt certification criteria no. 17

Password not stored in plain text for "Remember Me": If the application provides a "Remember Me" feature, it must not store user passwords on the client machine in plain text or in a form that can be decrypted by an adversary.


Tags: Technical

About

Paladion