Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-webui / 282a8ec32a99a469249aef53253e09f050e0826a^! / . / app / users / controllers / user-accounts-controller.html
commit282a8ec32a99a469249aef53253e09f050e0826a[log] [tgz]
authorGunnar Mills <gmills@us.ibm.com>Thu Oct 04 13:28:04 2018 -0500
committerGunnar Mills <gmills@us.ibm.com>Tue Oct 09 00:42:17 2018 +0000
tree319eea538c62fd3fa603adcfcf7d55d30125252c
parent971ac1aaf4a7096bb20ec75db3be5755f8899906 [diff] [blame]
User Management: Do not autocomplete passwords

Security scanners list autocomplete on as a medium priority
issue. The concern being someone could use it to compromise
a BMC with a password saved on a compromised computer.

Change-Id: Ibefa75af19046e056955406c1e4d31331d82f19f
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

diff --git a/app/users/controllers/user-accounts-controller.html b/app/users/controllers/user-accounts-controller.html
index 4b243aa..1e8b0ac 100644
--- a/app/users/controllers/user-accounts-controller.html
+++ b/app/users/controllers/user-accounts-controller.html

@@ -11,12 +11,12 @@
         <legend aria-label="user manager" class="accessible-text">Change password form</legend>
         <div class="row column">
           <label for="user-manage__current-password">Current password</label>
-          <input id="user-manage__current-password" type="password" ng-model="oldPassword" class="user-manage__current-password inline"/>
+          <input id="user-manage__current-password" type="password" ng-model="oldPassword" class="user-manage__current-password inline"  autocomplete="off"/>
         </div>
         <div class="inline">
           <label for="user-manage__new-password">New password</label>
           <div class="user-manage__input-wrapper inline">
-            <input id="user-manage__new-password" type="{{showpassword ? 'text' : 'password'}}" ng-model="password" class="user-manage__new-password inline"/>
+            <input id="user-manage__new-password" type="{{showpassword ? 'text' : 'password'}}" ng-model="password" class="user-manage__new-password inline"  autocomplete="off"/>
             <button ng-model="showpassword" ng-click="togglePassword = !togglePassword; showpassword = !showpassword;" class="password-toggle">
               <span ng-hide="togglePassword">Show</span>
               <span ng-show="togglePassword">Hide</span>
@@ -26,7 +26,7 @@
         <div class="inline">
           <label for="user-manage__verify-password">Retype new password</label>
           <div class="user-manage__input-wrapper inline">
-            <input id="user-manage__verify-password" type="{{showpasswordVerify ? 'text' : 'password'}}" ng-model="passwordVerify" class="user-manage__verify-password inline"/>
+            <input id="user-manage__verify-password" type="{{showpasswordVerify ? 'text' : 'password'}}" ng-model="passwordVerify" class="user-manage__verify-password inline"  autocomplete="off"/>
             <button ng-model="showpasswordVerify" ng-click="toggleVerify = !toggleVerify; showpasswordVerify = !showpasswordVerify;" class="password-toggle">
               <span ng-hide="toggleVerify">Show</span>
               <span ng-show="toggleVerify">Hide</span>