Meshcentral: Ability to disable autocomplete

So, in the past I have put the following line on password fields:

autocomplete=off

This was completely ignored by browsers. If you can let me know exactly that attribute(s) I should put on password fields to stop autocomplete, I will glad do it.

In "login.handlebars". Look for "autocomplete=", you can replace these values and experiment.

Once I know what you want, I can figure out the config.json. It's possible this is not going to be that easy, but let me know.

Virtually all browsers do indeed ignore autocomplete=off and for good reason - preventing autocomplete on credential fields prevents autofill from password managers which, in my opinion at least, reduces security rather than improves it. I'm not going to argue that you should ignore it as I'm sure you have to comply with the audit but definitely make this an optional feature if it's implemented please!

It will certainly be optional (if it can be done at all). I imagine this is driven by corporate security policies. The best would be to disable it in the browser.

another solution would be to turn on 2FA on all accounts, ie autocomplete + 2FA

FYI. You can force 2FA on all accounts on a domain using the following configuration in the domain section of the config.json:

      "passwordRequirements": {
        "min": 8,
        "max": 128,
        "upper": 1,
        "lower": 1,
        "numeric": 1,
        "nonalpha": 1,
        "reset": 90,
        "force2factor": true,                                     <------------------
        "skip2factor": "127.0.0.1,192.168.2.0/24",
        "oldPasswordBan": 5,
        "banCommonPasswords": false
      }

I would suggest that this isn't a problem for meshcentral to solve. It sounds like a browser related issue and (I might be projecting a bit here) compliance auditors don't know their head from their ass. Suggest closing as a not related bug.

To the OP, I would suggest saying that 2fa is enabled to prevent password compromises and chrome actively circumvents autofill

Agreed. I will close this issue. @D4V3M0NK, let me know if you come up with any specific action I need to take. I am always looking to improve security.

Apologies, I've been trying to get this to work but every time I change the login.handlebars file, nothing seems to change on the front end, even after restarting the services and viewing in incognito mode.

I do agree with comments made here, but from a security point of view, it does throw an issue. In my mind, if there's a way of removing the autocomplete parameter completely (with an appropriate config.json control so that it's down to the user themselves as to whether to invoke it or not), then that's about as much as we can do. What the browser chooses to do with form fields is out of the application's control. However, at the moment, the autocomplete parameter IS there and as a result, will be deemed to be a security issue.

PS : MFA is already configured for all users, I wouldn't be able to use this product otherwise, and that's taken into account with the security audit. Also bear in mind that 99/100, it's a vulnerability scanner that's providing these audits so it will look at everything that it can possibly read. I also have authenticated scans against MC2 so that the vuln scanner can actually log into the system and continue scanning as an authorized user (albeit with no access to any remote system of course).

@Ylianst - I see that this is closed. Are there any plans to be able to control having the autocomplete parameter removed from the interface? Even if I somehow can update the CI/CD process to overwrite the login.handlebars file, wouldn't a server update overwrite even those changes?

Not sure about your changes not being effective. If NodeJS is in production mode, it will cache the pages in memory so you may need to restart the server. For development I don't have my NodeJS in production mode so I can make changes to the pages without needed to restart the server each time.

I would like to know exactly what changes you want. Do you want just autocomplete="current-password" removed? All the autocompletes? what about autocomplete="new-password"? Should I replace all autocomplete with autocomplete=off?

@Ylianst I agree it's not a particularly pleasant "feature" and I 100% agree with all reservations about removing them, but with the vuln scanners performing automatically, I would suggest having an option to remove _all_ autocomplete attributes completely from the login page would be the way to go - I sincerely think that's the safest and probably only way the vuln scanners wouldn't flag it as a concern considering the attribute would no longer exist.

Ok, this is a dumb request but I added it in. Add "autocomplete": false in the domain section of the config.json in upcoming MeshCentral v0.7.91. Let me know if that works.