Wire-webapp: Password manager incompatibility & clipboard risk

Created on 10 Jan 2017  Â·  8Comments  Â·  Source: wireapp/wire-webapp

The web app login page at https://app.wire.com/auth/#login appears to be incompatible with the Lastpass password manager used as a Google Chrome extension (even when I use the Lastpass feature that lets me manually initialize all possible password-related form fields). The email field gets filled in but the password field remains empty.

A minor consequence of this is the slight inconvenience of using manual copy-and-paste to fill in the password.

The more important risk here is that one's password ends up in the clipboard, where it might lurk unnoticed for a long time.

Lastpass is generally very good at identifying login and password fields, so if it doesn't work, it usually means there is something quite unusual about the web page.

It would be nice if the login page could be made more compatible with password managers. Perhaps an additional simple login page, with very few form fields and the least possible JavaScript, could be provided for use with password managers — if this can be done without compromising login security.

In the mean time, as a security precaution, the web app could simply clear the clipboard after every login.

Most helpful comment

All 8 comments

@fortran77

as a security precaution, the web app could simply clear the clipboard after every login

I am against this, because I don't want any web app to just clear my clipboard. The password manager is responsible for that.

It would be nice if the login page could be made more compatible with password managers.

I just tried autofilling the login page with KeePass2 + chromeIPass + Chromium. Works as intended.
Did you try the trouble guide in the LastPass FAQ? If it still doesn't work, we need to figure out what's the difference between the Wire WebApp login page and other login pages.

Alright, after quickly creating a LastPass account, I figured it out. in AuthViewModel.coffee#L1334 there is a fix to disable Chrome's auto form fill. This causes LastPass to ignore the password field.

As a temporary workaround you can right-click on the password field, select Auto-Fill and then click on the corresponding entry.

So it looks like this is fixable within the Wire web app? That's great.

The only useful part of the Lastpass trouble guide is the suggestion to use the Save All Entered Data feature, which I did try, hence my comment “even when I use the Lastpass feature that lets me manually initialize all possible password-related form fields”.

Regarding the suggestion to right-click, the sequence I see is right click => Lastpass => Autofill, and it works for me only in the email field, not in the password field.

Regarding the comment “I don't want any web app to just clear my clipboard. The password manager is responsible for that.” : The Lastpass extension for Chrome on desktops will in fact clear the clipboard after a timeout period, provided a so-called binary component for Lastpass has been installed. Otherwise it will not. On Chrome OS devices, like the one on which I encountered the problem, there is no binary component and no option to time out the clipboard.

I wonder if there is a JavaScript limitation preventing the Lastpass extension for Google Chrome from clearing the clipboard if no binary component is available. If so, then maybe the Wire web app won't be able to clear the clipboard either.

The need to clear the clipboard will become moot if Lastpass can fill in the password field.

There is an additional related Lastpass issue in the web app. If I take the click path:

 Devices => (for any listed device click on right arrow) => REMOVE

I get a small window that asks for my password. Invoking Lastpass (by any of several methods) and asking it to autofill this password field results in the field being filled with my email address, not my password. Once again, I can manually copy-and-paste, with the same consequence, i.e., my password is now in the clipboard.

@fortran77
Without further investigation I assume that this is the same issue.

@bennyn
The fix exists since the initial commit, maybe it's time to discuss it? :slightly_smiling_face:

@fortran77 & @ffflorian: We deactivated autofill in our forms because Google Chrome adds a yellow background to fields which can be filled with autocomplete. It was a design decision.

We can evaluate again if this workaround will help: https://css-tricks.com/snippets/css/change-autocomplete-styles-webkit-browsers/

Denying users the ability to autofill a long random password, thus encouraging them to use a short and simple password or, in cases such as mine, creating the risk of a password lurking in the clipboard, seems to me to be excessively severe collateral damage just to prevent a yellow background. Especially because the yellow background actually provides a useful hint to users who have enabled autocompletion in their browsers.

If the CSS works, then that would be ideal.

For the main login screen, another option that would satisfy all concerned — both those who want to autofill passwords and those who object to yellow — would be to provide an additional simple login page as I recommended above, with very few form fields and the least possible amount of JavaScript.

However, this would not solve the problem of the additional login field reached with the “Devices => (for any listed device click on right arrow) => REMOVE” sequence. Maybe some yellow could be tolerated here — it's there only for a few seconds, and then it's gone.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

maximbaz picture maximbaz  Â·  3Comments

0xdade picture 0xdade  Â·  5Comments

maximbaz picture maximbaz  Â·  4Comments

fortran77 picture fortran77  Â·  4Comments

maximbaz picture maximbaz  Â·  6Comments