This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
  • Home
  • Advisories
    • SecurID
    • SecurID Governance & Lifecycle
  • Documentation
    • SecurID
      • Authentication Agents
        • API / SDK
        • Apache Web Server
        • Citrix StoreFront
        • Epic Hyperdrive
        • IIS Web Server
        • MFA Agent for macOS
        • MFA Agent for Windows
        • Microsoft AD FS
        • Microsoft Windows
        • PAM
      • Authentication Engine
      • Authentication Manager
      • Authenticators
        • iOS and Android
        • macOS
        • Windows
      • Cloud Authentication Service
      • Hardware Appliance
        Component Updates
      • Hardware Authenticators
        • DS100 Authenticators
        • SID700 Authenticators
        • SID800 Authenticators
      • Integrations
      • SecurID SDK
      • Software Tokens
        • Android
        • iOS
        • macOS
        • Token Converter
        • Windows
    • SecurID Governance & Lifecycle
    • Technology Partners
  • Downloads
    • SecurID
      • Authentication Agents
        • API / SDK
        • Apache Web Server
        • Citrix StoreFront
        • Epic Hyperdrive
        • IIS Web Server
        • MFA Agent for macOS
        • MFA Agent for Windows
        • Microsoft AD FS
        • Microsoft Windows
        • PAM
      • Authentication Engine
      • Authentication Manager
      • Authenticators
        • macOS
        • Windows
      • Cloud Authentication Service
      • FIDO Management Service
      • Hardware Appliance
        Component Updates
      • Hardware Authenticators
        • SID800 Authenticators
      • Integrations
      • Software Tokens
        • Android
        • iOS
        • macOS
        • Token Converter
        • Windows
    • SecurID Governance & Lifecycle
  • Community
    • SecurID
      • Blog
      • Discussions
      • Events
      • Idea Exchange
      • Knowledge Base
    • SecurID Governance & Lifecycle
      • Blog
      • Discussions
      • Events
      • Idea Exchange
      • Knowledge Base
      • Tech Hub
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Ideas & Suggestions
      • Community Support Articles
      • Community Support Forum
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Education
    • Blog
    • Browse Courses
      • SecurID
      • SecurID Governance & Lifecycle
    • Certification Program
    • New Product Readiness
    • Student Resources
Sign In Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Ideas & Suggestions

Drive innovation and crowdsource improvement by submitting enhancement requests for the community.
  • RSA Community
  • :
  • Support
  • :
  • Community Support
  • :
  • Ideas & Suggestions
  • :
  • Allow browsers to save RSA Link username/password
  • Options
    • Subscribe to RSS Feed
    • Mark as New
    • Mark as Read
    • Bookmark
    • Subscribe
    • Printer Friendly Page
    • Report Inappropriate Content

Allow browsers to save RSA Link username/password

5 Likes
Status: Under Review Submitted by NathanielWallwo Beginner on ‎2017-12-05 03:15 PM

RSA has gone out of their way to prevent web browsers from storing their RSA Link username and password.  This promotes poor security practices, so RSA ought to allow us to use the password managers built into our browsers.

 

The initial login page ( https://auth.rsasecurity.com/IMS-AA-IDP/InitialLogonDispatch.do ) prompts for User ID.  In the HTTP code, the input form includes autocomplete="off".  Since there are no input fields with type="password", browsers honor the autocomplete="off" setting, and they do not store the username.

 

The next page ( https://auth.rsasecurity.com/IMS-AA-IDP/ProcessUserID.do ) prompts for Password.  In the HTTP code, the input form includes autocomplete="off".  Since there is an input field with type="password", some browsers ignore the autocomplete="off" setting, and store the password.  If there had been other input fields on that page, those would have been stored as well.   IE does not store the password.  Firefox and Chrome do store the password.

 

When I connect to RSA Link with Firefox, I have to type my username, then the browser knows my password.  That's annoying.

 

When connect to RSA Link with IE, I have to type my username, open Firefox's password manager, copy my password, close Firefox's password manager, and paste the password to IE.   That's REALLY annoying.

 

This page ( https://blog.0xbadc0de.be/archives/124 - "The war against autocomplete=off: let my browser remember passwords !") does a good job of addressing the various pros and cons.

 

The bottom line is that preventing browser storage of username and password forces users to compromise security, either selecting a weak password that they can remember, using the same password on unrelated sites, or recording the password somewhere else.  These are all much worse than just using the browser's password manager.

Recommended solution: Prompt for username and password on the same page.

Tags (19)
  • Tags:
  • Archer
  • idea
  • ideas
  • ideation
  • login page issues
  • Password Management
  • RSA Archer
  • RSA Archer Suite
  • rsa ideas
  • RSA Link
  • RSA Link Idea
  • rsa link login
  • RSA Link Platform Idea
  • RSA Link Platform Suggestion
  • RSA Link Suggestion
  • RSA Link Website
  • Security
  • Suggestion
  • User Interface
Share
6 Comments
jeffshurtliff
Administrator jeffshurtliff Administrator
Administrator
‎2017-12-11 02:30 PM
  • Mark as Read
  • Mark as New
  • Bookmark
  • Permalink
  • Print
  • Report Inappropriate Content
‎2017-12-11 02:30 PM

Hi Nathaniel‌,

 

Thank you for submitting this idea.  We are reviewing the request and performing the discovery phase in order to identify what effort is required to make these changes to the authentication process on RSA Link.

 

I will provide an update as soon as we have more information.

 

Thanks again,

 

Jeff Shurtliff, CISSP, CISM | Team Lead, RSA Link Team | Customer Success | RSA

Working Hours: Mon-Fri, 7am-4pm MST | 800-995-5095 | jeff.shurtliff@rsa.com

DavidBaldwin1
DavidBaldwin1 Beginner
Beginner
‎2018-04-16 02:44 PM
  • Mark as Read
  • Mark as New
  • Bookmark
  • Permalink
  • Print
  • Report Inappropriate Content
‎2018-04-16 02:44 PM

Jeff Shurtliff‌ this is a question that should definitely be reviewed carefully. Back in 2012 a colleague and me were working a project for a large web application. We discovered that we could convert a password to "plaintext" when a user chose to have the browser save the password. I then tried to see how many friends I could trick into giving me their Facebook password. 

 

Exploitation worked simply like this:

1. Ask to use friend's laptop

2. Goto facebook

3. Use browser's developer tool to change the field type from password to text

 

These screenshots were taken from friends machine literally 15 minutes ago. This form of social engineering can be done on both Chrome, Firefox, and IE. 

 

Screen Shot 2018-04-16 at 2.32.13 PM.png

 

Screen Shot 2018-04-16 at 2.32.44 PM.png

 

 

Note: User choose weak passwords anyways. So allowing password autocomplete does not increase the security of the password. Back in the day I could uncover most people's windows passwords using Opscrack because they were all under 14 characters in length. Using symbols did not have any effect on my ability to retrieve the password.

 

Cracking Windows XP passwords

NathanielWallwo
NathanielWallwo Beginner
Beginner
‎2018-04-17 02:09 PM
  • Mark as Read
  • Mark as New
  • Bookmark
  • Permalink
  • Print
  • Report Inappropriate Content
‎2018-04-17 02:09 PM

I agree that malicious parties who have access to your computer or browser will be able to access your credentials....  There are many attack vectors.

The current login implementation for RSA Link doesn't prevent users from storing their passwords.   It only prevents users from storing their email address, and forces users to type their email address each time they log in.  That's inconvenient for users, but it does nothing to improve security.

DavidBaldwin1
DavidBaldwin1 Beginner
Beginner
‎2018-04-21 05:57 PM
  • Mark as Read
  • Mark as New
  • Bookmark
  • Permalink
  • Print
  • Report Inappropriate Content
‎2018-04-21 05:57 PM

Now, I had a random thought that may prove useful. You could use javascript to covert the password to hash using a one-way encryption algorithm. This way its the hash that gets stored in the browser. This could be done as a part of the activities conducted when the user clicks "login" or hits "enter" on their keyboard. But the new hash would require you to employ 2-factor authentication methods -- like the way myfedloans.org, regions.com, Auth0 or some other institutions employs it.

 

 

It may even be possible to have the browser update the password hash each time the user logs in or based on some other predetermined frequency -- changing password or the salt each time will prevent the user from using the same encrypted hash to login. 

 

This way even with my described social engineering example-- the user would only end up with an expired hash. Or hash that can only be used if you know the original password.

rsalinkadmin
Administrator rsalinkadmin Administrator
Administrator
‎2021-07-07 07:24 PM
  • Mark as Read
  • Mark as New
  • Bookmark
  • Permalink
  • Print
  • Report Inappropriate Content
‎2021-07-07 07:24 PM
Status changed to: In Progress
 
rsalinkadmin
Administrator rsalinkadmin Administrator
Administrator
‎2021-08-12 07:19 PM
  • Mark as Read
  • Mark as New
  • Bookmark
  • Permalink
  • Print
  • Report Inappropriate Content
‎2021-08-12 07:19 PM
Status changed to: Under Review
 

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Completed Ideas
  • RSA Link "Your Content"

  • Logs delivery

View All ≫

Idea Statuses

Proposed 31
Information Requested 1
New 6
Duplicate 1
Approved 1
Already Offered 1
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • Customer Success
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Provide Feedback
© 2023 RSA Security LLC or its affiliates. All rights reserved.