Autocomplete
From Computing and Software Wiki
AutoComplete is a feature that is integrated into the shells of many programs, such as text editors, word processors, software development programs, and (most commonly) web browsers. It involves predicting user input by offering them a list of potential inputs. Such potential inputs can include lines of code, dictionary words, and (the focus of this article) usernames.
AutoComplete has a further feature that allows an application (most often web browsers) to save a password corresponding to a username. In the case of Windows Internet Explorer, when a user inputs a username and a password to a website upon their first visit, the program asks the user if they would like AutoComplete to save their password. If the user agrees, AutoComplete will save the username and password of the user to the Windows registry encrypted with the URL of the website. The next time the user begins to type their password into the username field, the browser will predict the input as a username (or other usernames that were input that have the same beginning letters). An option box will appear under the input field with all potential predictions, and the user can select their username. When the user does this, the password is automatically filled out (the form is automatically completed, hence the name). This speeds up monotonous tasks such as username/password input. In other AutoComplete applications, other input is sped up by automatically typing things that a user is sure to type: for example a software development program working with C++ might automatically add a } to the code every time a user types a {, or a word processor might automatically offer up the word December every time a user types Dec. This is not to be confused with AutoReplace, most used in word processes to correct spelling (i.e. always replacing 'adn' with 'and').[6]
The saving of usernames and passwords has inherent security risks. For example, any person who uses someones computer potentially has access to any and all usernames and passwords saved by AutoComplete on that machine (especially considering that double-clicking an empty field brings up all previously input text). However, web browsers such as Mozilla FireFox have built in master passwords. Upon the opening of a browser window, the program will ask the user for their master password. If input correctly, AutoComplete functions fully, allowing access to all previously saved usernames and passwords. If the password is incorrect, none of these are accessable.[3]
The fact that usernames and passwords are saved at all is perhaps unnerving to some. While encrypted, the location of the data is known (in the case of Internet Explorer, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2) and since the data is typically encrypted using the URL of the website, it is possible to decrypt without much trouble. Programs such as IEView can show the usernames, passwords, and URLs of all saved AutoCompleted websites[4]. If a hacker could remotely run this program on a machine, all information is available. An adept hacker may be able to accomplish the same thing without such a program (please refer to Figure 1 for look at how the program works). Granted, if a user clears internet history often and the URLs are not saved, the usernames and passwords are not readable (until the website is visited again). There are many programs that encrypt and obfuscate usernames and passwords so attackers cannot procure them. The freeware program RoboForm is such a program[2]; it can encrypt passwords safely and automatically input them, or it can generate random passwords that hackers cannot guess and input them in forms automatically so the user does not have to deal with them[7].
Figure 1:
Let it be known that AutoComplete is something that is directly integrated into a website; that is, the author can directly choose whether or not AutoComplete is available on their site. They can choose to save both the username and password, just one of them, or neither. Many extra-sensitive sites such as banks choose not to allow AutoComplete (please see figure 2). However, browsers such as Opera 7.0 circumvent the AutoComplete code entirely and save all usernames and passwords in their own way. If a user is concerned about this, the browser should be avoided. It is called a "wand" feature and it does not use "autocomplete = off".[1]
Figure 2:
References:
[1] Browser AutoComplete and Authentication Security
[2] Internet Explorer (Auto Complete) stores your passwords unencrypted!
[3] Store passwords securely in Firefox
[5] Threats and Countermeasures
[6] Autocomplete Wikipedia Entry
[7] RoboForm