Is it possible to disable passsword auto-complete?

D

David Victor

Verified User
Joined
Nov 6, 2019
Messages
18
Dear fellow DA users,

One of our customers has had some security scan done and it states:

Web Server Allows Password Auto-Completion

Click to expand...
as one of the flagged concerns.

Even though I don't see this as a big issue, I was still looking for a way to disable this on our clients servers. Does anyone know if there is an out-of-the-box option in DirectAdmin to disable password auto-fill?

Or do you guys happen to know where I can find the default login form so I can try and customize it a bit? I have looked at the
Code: 
/usr/local/directadmin/data/skins/evolution/login.html
but that doesn't seem to contain any obvious form data...

Kind regards,

David
 
Last edited:
You could place a customized login.html in /usr/local/directadmin/data/templates/custom/ and the default will be overrided?
 
Some users may like the autocomplete feature. Its their browser doing the autocomplete. Its only a problem if their own computer is compromised.
 
floyd said:
Some users may like the autocomplete feature. Its their browser doing the autocomplete. Its only a problem if their own computer is compromised.
Click to expand...
Most of the users like the autocompletion, security scans has to report about something! Without results, people think they are useless.
 
I suggest put these field.

Code: 
autocomplete='off'
spellcheck='false'
autocorrect='off'
autocapitalize='off'

this will solved all possible problem about input field for all devices.


This is just idea.
If you still not found a ways to add. Just use javascript.

This ways, all scanner might thing it still allow autocomplete, but it's not when using real browser.

Code: 
cp /usr/local/directadmin/data/templates/login.html /usr/local/directadmin/data/templates/custom/login.html
add this code to end of page
Code: 
<script>
try{
    document.addEventListener("DOMContentLoaded", () => {
        document.querySelectorAll('input').forEach( input => {
            input.setAttribute("autocomplete", "off");
            input.setAttribute("spellcheck", "off");
            input.setAttribute("autocorrect", "off");
            input.setAttribute("autocapitalize", "off");

            input.autocomplete = "off";
            input.spellcheck= "off";
            input.autocorrect= "off";
            input.autocapitalize= "off";
        });
    });
}catch(_ex){

}
</script>
 
jamgames2 said:
I suggest put these field.

Code: 
autocomplete='off'
spellcheck='false'
autocorrect='off'
autocapitalize='off'

this will solved all possible problem about input field for all devices.


This is just idea.
If you still not found a ways to add. Just use javascript.

This ways, all scanner might thing it still allow autocomplete, but it's not when using real browser.

Code: 
cp /usr/local/directadmin/data/templates/login.html /usr/local/directadmin/data/templates/custom/login.html
add this code to end of page
Code: 
<script>
try{
    document.addEventListener("DOMContentLoaded", () => {
        document.querySelectorAll('input').forEach( input => {
            input.setAttribute("autocomplete", "off");
            input.setAttribute("spellcheck", "off");
            input.setAttribute("autocorrect", "off");
            input.setAttribute("autocapitalize", "off");

            input.autocomplete = "off";
            input.spellcheck= "off";
            input.autocorrect= "off";
            input.autocapitalize= "off";
        });
    });
}catch(_ex){

}
</script>
Click to expand...

Thank you jamgames2. Your solution is very straightforward and almost exactly what I was looking for.
I did however apply it to the: /usr/local/directadmin/data/templates/login.html instead of your suggestion:
/usr/local/directadmin/data/templates/custom/login.html
Click to expand...
that's because I read it's not necessary to use a 'custom' directory according to this article in de DA documentation: https://docs.directadmin.com/changelog/version-1.20.4.html

I'll let the customer know that their wish is granted ?
Kind regards,

David

PS: @floyd Yes, I know it's not a real issue, but sometimes making the customer happy is worth it anyway. But thanks for pointing it out.
 
You must log in or register to reply here.
Back
Top