RSA has gone out of their way to prevent web browsers from storing their RSA Link username and password. This promotes poor security practices, so RSA ought to allow us to use the password managers built into our browsers.
The initial login page ( https://auth.rsasecurity.com/IMS-AA-IDP/InitialLogonDispatch.do ) prompts for User ID. In the HTTP code, the input form includes autocomplete="off". Since there are no input fields with type="password", browsers honor the autocomplete="off" setting, and they do not store the username.
The next page ( https://auth.rsasecurity.com/IMS-AA-IDP/ProcessUserID.do ) prompts for Password. In the HTTP code, the input form includes autocomplete="off". Since there is an input field with type="password", some browsers ignore the autocomplete="off" setting, and store the password. If there had been other input fields on that page, those would have been stored as well. IE does not store the password. Firefox and Chrome do store the password.
When I connect to RSA Link with Firefox, I have to type my username, then the browser knows my password. That's annoying.
When connect to RSA Link with IE, I have to type my username, open Firefox's password manager, copy my password, close Firefox's password manager, and paste the password to IE. That's REALLY annoying.
This page ( https://blog.0xbadc0de.be/archives/124 - "The war against autocomplete=off: let my browser remember passwords !") does a good job of addressing the various pros and cons.
The bottom line is that preventing browser storage of username and password forces users to compromise security, either selecting a weak password that they can remember, using the same password on unrelated sites, or recording the password somewhere else. These are all much worse than just using the browser's password manager.
Recommended solution: Prompt for username and password on the same page.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.