Autocomplete - Revision history

Rosolam at 01:23, 10 December 2007

2007-12-10T01:23:16Z

← Older revision		Revision as of 01:23, 10 December 2007
Line 1:		Line 1:
	AutoComplete is a feature that is integrated into the shells of many programs, such as text editors, word processors, software development programs, and (most commonly) web browsers. It involves predicting user input by offering them a list of potential inputs. Such potential inputs can include lines of code, dictionary words, and (the focus of this article) usernames.		AutoComplete is a feature that is integrated into the shells of many programs, such as text editors, word processors, software development programs, and (most commonly) web browsers. It involves predicting user input by offering them a list of potential inputs. Such potential inputs can include lines of code, dictionary words, and (the focus of this article) usernames.

-	AutoComplete has a further feature that allows an application (most often web browsers) to save a password corresponding to a username. In the case of Windows Internet Explorer, when a user inputs a username and a password to a website upon their first visit, the program asks the user if they would like AutoComplete to save their password. If the user agrees, AutoComplete will save the username and password of the user to the Windows registry encrypted with the URL of the website. The next time the user begins to type their password into the username field, the browser will predict the input as a username (or other usernames that were input that have the same beginning letters). An option box will appear under the input field with all potential predictions, and the user can select their username. When the user does this, the password is automatically filled out (the form is ''auto''matically ''complete''d, hence the name). This speeds up monotonous tasks such as username/password input. In other AutoComplete applications, other input is sped up by automatically typing things that a user is sure to type: for example a software development program working with C++ might automatically add a } to the code every time a user types a {, or a word processor might automatically offer up the word ''December'' every time a user types ''Dec''. This is not to be confused with AutoReplace, most used in word processes to correct spelling (i.e. always replacing 'adn' with 'and').	+	AutoComplete has a further feature that allows an application (most often web browsers) to save a password corresponding to a username. In the case of Windows Internet Explorer, when a user inputs a username and a password to a website upon their first visit, the program asks the user if they would like AutoComplete to save their password. If the user agrees, AutoComplete will save the username and password of the user to the Windows registry encrypted with the URL of the website. The next time the user begins to type their password into the username field, the browser will predict the input as a username (or other usernames that were input that have the same beginning letters). An option box will appear under the input field with all potential predictions, and the user can select their username. When the user does this, the password is automatically filled out (the form is ''auto''matically ''complete''d, hence the name). This speeds up monotonous tasks such as username/password input. In other AutoComplete applications, other input is sped up by automatically typing things that a user is sure to type: for example a software development program working with C++ might automatically add a } to the code every time a user types a {, or a word processor might automatically offer up the word ''December'' every time a user types ''Dec''. This is not to be confused with AutoReplace, most used in word processes to correct spelling (i.e. always replacing 'adn' with 'and').[6]


-	The saving of usernames and passwords has inherent security risks. For example, any person who uses someones computer potentially has access to any and all usernames and passwords saved by AutoComplete on that machine (especially considering that double-clicking an empty field brings up all previously input text). However, web browsers such as Mozilla FireFox have built in master passwords. Upon the opening of a browser window, the program will ask the user for their master password. If input correctly, AutoComplete functions fully, allowing access to all previously saved usernames and passwords. If the password is incorrect, none of these are accessable.	+	The saving of usernames and passwords has inherent security risks. For example, any person who uses someones computer potentially has access to any and all usernames and passwords saved by AutoComplete on that machine (especially considering that double-clicking an empty field brings up all previously input text). However, web browsers such as Mozilla FireFox have built in master passwords. Upon the opening of a browser window, the program will ask the user for their master password. If input correctly, AutoComplete functions fully, allowing access to all previously saved usernames and passwords. If the password is incorrect, none of these are accessable.[3]


-	The fact that usernames and passwords are saved at all is perhaps unnerving to some. While encrypted, the location of the data is known (in the case of Internet Explorer, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2) and since the data is typically encrypted using the URL of the website, it is possible to decrypt without much trouble. Programs such as IEView can show the usernames, passwords, and URLs of all saved AutoCompleted websites. If a hacker could remotely run this program on a machine, all information is available. An adept hacker may be able to accomplish the same thing without such a program. Granted, if a user clears internet history often and the URLs are not saved, the usernames and passwords are not readable (until the website is visited again). There are many programs that encrypt and obfuscate usernames and passwords so attackers cannot procure them. ~~More information will be available on this later~~.	+	The fact that usernames and passwords are saved at all is perhaps unnerving to some. While encrypted, the location of the data is known (in the case of Internet Explorer, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2) and since the data is typically encrypted using the URL of the website, it is possible to decrypt without much trouble. Programs such as IEView can show the usernames, passwords, and URLs of all saved AutoCompleted websites[4]. If a hacker could remotely run this program on a machine, all information is available. An adept hacker may be able to accomplish the same thing without such a program (please refer to Figure 1 for look at how the program works). Granted, if a user clears internet history often and the URLs are not saved, the usernames and passwords are not readable (until the website is visited again). There are many programs that encrypt and obfuscate usernames and passwords so attackers cannot procure them. The freeware program RoboForm is such a program[2]; it can encrypt passwords safely and automatically input them, or it can generate random passwords that hackers cannot guess and input them in forms automatically so the user does not have to deal with them[7].


-	Figure 1:	+	'''Figure 1:'''

	[[Image:IEView.jpg]]		[[Image:IEView.jpg]]


-	Let it be known that AutoComplete is something that is directly integrated into a website; that is, the author can directly choose whether or not AutoComplete is available on their site. They can choose to save both the username and password, just one of them, or neither. Many extra-sensitive sites such as banks choose not to allow AutoComplete. However, browsers such as Opera 7.0 circumvent the AutoComplete code entirely and save all usernames and passwords in their own way. If a user is concerned about this, the browser should be avoided. It is called a "wand" feature and it does not use "autocomplete = off".[1]	+	Let it be known that AutoComplete is something that is directly integrated into a website; that is, the author can directly choose whether or not AutoComplete is available on their site. They can choose to save both the username and password, just one of them, or neither. Many extra-sensitive sites such as banks choose not to allow AutoComplete (please see figure 2). However, browsers such as Opera 7.0 circumvent the AutoComplete code entirely and save all usernames and passwords in their own way. If a user is concerned about this, the browser should be avoided. It is called a "wand" feature and it does not use "autocomplete = off".[1]
		+
		+
		+	'''Figure 2:'''
		+
		+	[[Image:Code.jpg]]
		+
		+

	'''References:'''		'''References:'''
Line 30:		Line 37:

	[6] [http://en.wikipedia.org/wiki/Autocomplete Autocomplete Wikipedia Entry]		[6] [http://en.wikipedia.org/wiki/Autocomplete Autocomplete Wikipedia Entry]
		+
		+	[7] [http://www.roboform.com RoboForm]

Rosolam at 01:17, 10 December 2007

2007-12-10T01:17:38Z

← Older revision		Revision as of 01:17, 10 December 2007
Line 8:		Line 8:

	The fact that usernames and passwords are saved at all is perhaps unnerving to some. While encrypted, the location of the data is known (in the case of Internet Explorer, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2) and since the data is typically encrypted using the URL of the website, it is possible to decrypt without much trouble. Programs such as IEView can show the usernames, passwords, and URLs of all saved AutoCompleted websites. If a hacker could remotely run this program on a machine, all information is available. An adept hacker may be able to accomplish the same thing without such a program. Granted, if a user clears internet history often and the URLs are not saved, the usernames and passwords are not readable (until the website is visited again). There are many programs that encrypt and obfuscate usernames and passwords so attackers cannot procure them. More information will be available on this later.		The fact that usernames and passwords are saved at all is perhaps unnerving to some. While encrypted, the location of the data is known (in the case of Internet Explorer, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2) and since the data is typically encrypted using the URL of the website, it is possible to decrypt without much trouble. Programs such as IEView can show the usernames, passwords, and URLs of all saved AutoCompleted websites. If a hacker could remotely run this program on a machine, all information is available. An adept hacker may be able to accomplish the same thing without such a program. Granted, if a user clears internet history often and the URLs are not saved, the usernames and passwords are not readable (until the website is visited again). There are many programs that encrypt and obfuscate usernames and passwords so attackers cannot procure them. More information will be available on this later.
		+
		+
		+	Figure 1:
		+
		+	[[Image:IEView.jpg]]

Rosolam at 00:49, 10 December 2007

2007-12-10T00:49:07Z

← Older revision		Revision as of 00:49, 10 December 2007
Line 7:		Line 7:


-	The fact that usernames and passwords are saved at all is perhaps unnerving to some. While encrypted, the location of the data is known (in the case of Internet Explorer, ~~insert link here~~) and since the data is typically encrypted using the URL of the website, it is possible to decrypt without much trouble. Programs such as IEView can show the usernames, passwords, and URLs of all saved AutoCompleted websites. If a hacker could remotely run this program on a machine, all information is available. An adept hacker may be able to accomplish the same thing without such a program. Granted, if a user clears internet history often and the URLs are not saved, the usernames and passwords are not readable (until the website is visited again). There are many programs that encrypt and obfuscate usernames and passwords so attackers cannot procure them. More information will be available on this later.	+	The fact that usernames and passwords are saved at all is perhaps unnerving to some. While encrypted, the location of the data is known (in the case of Internet Explorer, HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2) and since the data is typically encrypted using the URL of the website, it is possible to decrypt without much trouble. Programs such as IEView can show the usernames, passwords, and URLs of all saved AutoCompleted websites. If a hacker could remotely run this program on a machine, all information is available. An adept hacker may be able to accomplish the same thing without such a program. Granted, if a user clears internet history often and the URLs are not saved, the usernames and passwords are not readable (until the website is visited again). There are many programs that encrypt and obfuscate usernames and passwords so attackers cannot procure them. More information will be available on this later.


-	Let it be known that AutoComplete is something that is directly integrated into a website; that is, the author can directly choose whether or not AutoComplete is available on their site. They can choose to save both the username and password, just one of them, or neither. Many extra-sensitive sites such as banks choose not to allow AutoComplete. However, browsers such as Opera 7.0 circumvent the AutoComplete code entirely and save all usernames and passwords in their own way. If a user is concerned about this, the browser should be avoided. ~~More information will be available on this later~~.	+	Let it be known that AutoComplete is something that is directly integrated into a website; that is, the author can directly choose whether or not AutoComplete is available on their site. They can choose to save both the username and password, just one of them, or neither. Many extra-sensitive sites such as banks choose not to allow AutoComplete. However, browsers such as Opera 7.0 circumvent the AutoComplete code entirely and save all usernames and passwords in their own way. If a user is concerned about this, the browser should be avoided. It is called a "wand" feature and it does not use "autocomplete = off".[1]
		+
		+	'''References:'''
		+
		+	[1] [http://wssg.berkeley.edu/SecurityInfrastructure/reports/AutoComplete/index.html Browser AutoComplete and Authentication Security]
		+
		+	[2] [http://www.ecommerce-blog.org/archives/internet-explorer-auto-complete-stores-your-passwords-unencrypted/ Internet Explorer (Auto Complete) stores your passwords unencrypted!]
		+
		+	[3] [http://useopensource.blogspot.com/2007/02/store-passwords-securely-in-firefox.html Store passwords securely in Firefox]
		+
		+	[4] [http://www.nirsoft.net/utils/internet_explorer_password.html IE PassView v1.06]
		+
		+	[5] [http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch07n.mspx Threats and Countermeasures]
		+
		+	[6] [http://en.wikipedia.org/wiki/Autocomplete Autocomplete Wikipedia Entry]

Rosolam: This page outlines the usage of AutoComplete, some if its weaknesses, and some potential remedies.

2007-12-03T04:01:17Z

This page outlines the usage of AutoComplete, some if its weaknesses, and some potential remedies.

← Older revision		Revision as of 04:01, 3 December 2007
Line 1:		Line 1:
-	AutoComplete is a feature that is integrated into the shells of many programs, such as text editors, word processors, software development programs, and (most commonly) web browsers. It involves predicting user input by offering them a list of potential inputs. Such potential inputs can include lines of code, dictionary words, and (the focus of this article) usernames.	+	AutoComplete is a feature that is integrated into the shells of many programs, such as text editors, word processors, software development programs, and (most commonly) web browsers. It involves predicting user input by offering them a list of potential inputs. Such potential inputs can include lines of code, dictionary words, and (the focus of this article) usernames.

-	AutoComplete has a further feature that allows an application (most often web browsers) to save a password corresponding to a username. In the case of Windows Internet Explorer, when a user inputs a username and a password to a website upon their first visit, the program asks the user if they would like AutoComplete to save their password. If the user agrees, AutoComplete will save the username and password of the user to the Windows registry encrypted with the URL of the website. The next time the user begins to type their password into the username field, the browser will predict the input as a username (or other usernames that were input that have the same beginning letters). An option box will appear under the input field with all potential predictions, and the user can select their username. When the user does this, the password is automatically filled out (the form is ''auto''matically ''complete''d, hence the name). This speeds up monotonous tasks such as username/password input. In other AutoComplete applications, other input is sped up by automatically typing things that a user is sure to type: for example a software development program working with C++ might automatically add a } to the code every time a user types a {, or a word processor might automatically offer up the word ''December'' every time a user types ''Dec''.	+	AutoComplete has a further feature that allows an application (most often web browsers) to save a password corresponding to a username. In the case of Windows Internet Explorer, when a user inputs a username and a password to a website upon their first visit, the program asks the user if they would like AutoComplete to save their password. If the user agrees, AutoComplete will save the username and password of the user to the Windows registry encrypted with the URL of the website. The next time the user begins to type their password into the username field, the browser will predict the input as a username (or other usernames that were input that have the same beginning letters). An option box will appear under the input field with all potential predictions, and the user can select their username. When the user does this, the password is automatically filled out (the form is ''auto''matically ''complete''d, hence the name). This speeds up monotonous tasks such as username/password input. In other AutoComplete applications, other input is sped up by automatically typing things that a user is sure to type: for example a software development program working with C++ might automatically add a } to the code every time a user types a {, or a word processor might automatically offer up the word ''December'' every time a user types ''Dec''. This is not to be confused with AutoReplace, most used in word processes to correct spelling (i.e. always replacing 'adn' with 'and').

-	The saving of usernames and passwords has inherent security risks. For example, any person who uses someones computer potentially has access to any and all usernames and passwords saved by AutoComplete on that machine (especially considering that double-clicking an empty field brings up all previously input text). However, web browsers such as Mozilla FireFox have built in master passwords. Upon the opening of a browser window, the program will ask the user for their master password. If input correctly, AutoComplete functions fully, allowing access to all previously saved usernames and passwords. If the password is incorrect, none of these are accessable.

-	The ~~fact that~~ usernames and passwords ~~are saved at all is perhaps unnerving to some~~. ~~While encrypted~~, ~~the location of the data is known~~ (in the case of Internet Explorer, insert link here) ~~and since the data is typically encrypted using the URL of the website~~, ~~it is possible to decrypt without much trouble. Programs~~ such as ~~IEView can show~~ the ~~usernames, passwords, and URLs~~ of ~~all saved AutoCompleted websites. If~~ a ~~hacker could remotely run this program on a machine~~, ~~all information is available. An adept hacker may be able to accomplish~~ the ~~same thing without such a~~ program. ~~Granted~~, ~~if a user clears internet history often and the URLs are not~~ saved~~, the~~ usernames and passwords ~~are not readable (until~~ the ~~website~~ is ~~visited again). There~~ are ~~many programs that encrypt and obfuscate usernames and passwords so attackers cannot procure them. More information will be available on this later~~.	+	The saving of usernames and passwords has inherent security risks. For example, any person who uses someones computer potentially has access to any and all usernames and passwords saved by AutoComplete on that machine (especially considering that double-clicking an empty field brings up all previously input text). However, web browsers such as Mozilla FireFox have built in master passwords. Upon the opening of a browser window, the program will ask the user for their master password. If input correctly, AutoComplete functions fully, allowing access to all previously saved usernames and passwords. If the password is incorrect, none of these are accessable.

-	Let it be known that AutoComplete is something that is directly integrated into a website; that is, the author can directly choose whether or not AutoComplete is available on their site. They can choose to save both the username and password, just one of them, or neither. Many extra-sensitive sites such as banks choose not to allow AutoComplete. However, browsers such as Opera 7.0 circumvent the AutoComplete code entirely and save all usernames and passwords in their own way. If a user is concerned about this, the browser should be avoided. More information will be available on this later.	+
		+	The fact that usernames and passwords are saved at all is perhaps unnerving to some. While encrypted, the location of the data is known (in the case of Internet Explorer, insert link here) and since the data is typically encrypted using the URL of the website, it is possible to decrypt without much trouble. Programs such as IEView can show the usernames, passwords, and URLs of all saved AutoCompleted websites. If a hacker could remotely run this program on a machine, all information is available. An adept hacker may be able to accomplish the same thing without such a program. Granted, if a user clears internet history often and the URLs are not saved, the usernames and passwords are not readable (until the website is visited again). There are many programs that encrypt and obfuscate usernames and passwords so attackers cannot procure them. More information will be available on this later.
		+
		+
		+	Let it be known that AutoComplete is something that is directly integrated into a website; that is, the author can directly choose whether or not AutoComplete is available on their site. They can choose to save both the username and password, just one of them, or neither. Many extra-sensitive sites such as banks choose not to allow AutoComplete. However, browsers such as Opera 7.0 circumvent the AutoComplete code entirely and save all usernames and passwords in their own way. If a user is concerned about this, the browser should be avoided. More information will be available on this later.

Rosolam: New page: AutoComplete is a feature that is integrated into the shells of many programs, such as text editors, word processors, software development programs, and (most commonly) web browsers. It...

2007-12-03T03:57:24Z

New page: AutoComplete is a feature that is integrated into the shells of many programs, such as text editors, word processors, software development programs, and (most commonly) web browsers. It...

New page

AutoComplete is a feature that is integrated into the shells of many programs, such as text editors, word processors, software development programs, and (most commonly) web browsers. It involves predicting user input by offering them a list of potential inputs. Such potential inputs can include lines of code, dictionary words, and (the focus of this article) usernames.

AutoComplete has a further feature that allows an application (most often web browsers) to save a password corresponding to a username. In the case of Windows Internet Explorer, when a user inputs a username and a password to a website upon their first visit, the program asks the user if they would like AutoComplete to save their password. If the user agrees, AutoComplete will save the username and password of the user to the Windows registry encrypted with the URL of the website. The next time the user begins to type their password into the username field, the browser will predict the input as a username (or other usernames that were input that have the same beginning letters). An option box will appear under the input field with all potential predictions, and the user can select their username. When the user does this, the password is automatically filled out (the form is ''auto''matically ''complete''d, hence the name). This speeds up monotonous tasks such as username/password input. In other AutoComplete applications, other input is sped up by automatically typing things that a user is sure to type: for example a software development program working with C++ might automatically add a } to the code every time a user types a {, or a word processor might automatically offer up the word ''December'' every time a user types ''Dec''.

The saving of usernames and passwords has inherent security risks. For example, any person who uses someones computer potentially has access to any and all usernames and passwords saved by AutoComplete on that machine (especially considering that double-clicking an empty field brings up all previously input text). However, web browsers such as Mozilla FireFox have built in master passwords. Upon the opening of a browser window, the program will ask the user for their master password. If input correctly, AutoComplete functions fully, allowing access to all previously saved usernames and passwords. If the password is incorrect, none of these are accessable.

The fact that usernames and passwords are saved at all is perhaps unnerving to some. While encrypted, the location of the data is known (in the case of Internet Explorer, *insert link here*) and since the data is typically encrypted using the URL of the website, it is possible to decrypt without much trouble. Programs such as IEView can show the usernames, passwords, and URLs of all saved AutoCompleted websites. If a hacker could remotely run this program on a machine, all information is available. An adept hacker may be able to accomplish the same thing without such a program. Granted, if a user clears internet history often and the URLs are not saved, the usernames and passwords are not readable (until the website is visited again). There are many programs that encrypt and obfuscate usernames and passwords so attackers cannot procure them. More information will be available on this later.

Let it be known that AutoComplete is something that is directly integrated into a website; that is, the author can directly choose whether or not AutoComplete is available on their site. They can choose to save both the username and password, just one of them, or neither. Many extra-sensitive sites such as banks choose not to allow AutoComplete. However, browsers such as Opera 7.0 circumvent the AutoComplete code entirely and save all usernames and passwords in their own way. If a user is concerned about this, the browser should be avoided. More information will be available on this later.