This is the option which Disables Browsers auto-complete.
Original Message:
Sent: May 17, 2024 03:16 PM
From: Andres_Gama
Subject: disable autocomplete username and password ClearPass
Good afternoon,
I would like to know how to globally disable this feature. As I mentioned before, the company conducted an audit and found this feature to be a vulnerability. It needs to be disabled across the entire platform.
Thank you very much.
Original Message:
Sent: May 17, 2024 01:08 PM
From: GorazdKikelj
Subject: disable autocomplete username and password ClearPass
Hi Andres.
This option should only affect web form when you disable it. If you disable it on global level, it will affect all forms where it is used.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: May 17, 2024 11:57 AM
From: Andres_Gama
Subject: disable autocomplete username and password ClearPass
Por supuesto, aquí tienes la traducción al inglés:
Good morning,
I wanted to inform you that I have found the option to disable autocomplete in the password field in ClearPass Guest. I have checked the corresponding box to deactivate it. However, I would like to confirm if this setting also affects ClearPass Policy Manager.
When I inspect the elements, I notice that autocomplete still seems to be active. Could you please confirm if the option I selected disables autocomplete for ClearPass Policy Manager?
I greatly appreciate your assistance.
Best regards,
Andres Gama
Original Message:
Sent: May 17, 2024 09:52 AM
From: GorazdKikelj
Subject: disable autocomplete username and password ClearPass
Hi ANdreas.
Maybe I was not clear enough. You will find global forms field definitions in Guest / Configuration / Pages / Fields.. You should look into specific configuration of form fields for your page so you never wont to redefine default fields but only form copy of the field.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: May 17, 2024 09:36 AM
From: Andres_Gama
Subject: disable autocomplete username and password ClearPass
Good morning, GorazdKikelj,
Thank you for responding. I am validating in ClearPass Guest on the "Web Logins" tab, and the indicated option does not appear (I have attached a screenshot with the options that do appear). I would like to know if this configuration is done in ClearPass Guest or in ClearPass Policy Manager.
Additionally, when I inspect the username field on the login page, it shows as "off", and the password field shows as "new-password". Thank you very much for the information, and I look forward to your assistance. The current version we are using is ClearPass Policy Manager 6.10.0.180076.
INSPECT USERNAME
<input id="username" name="username" value="" style="width:200px;" type="text" autocomplete="off">
INSPECT PASSWORD
<td class="nwaBody">
<input type="hidden" autocomplete="new-password" name="F_password" id="Fake_auth_login_password" value="0">
<input type="password" name="password" id="pw" style="width: 200px;" autocomplete="new-password">
<input type="password" autocomplete="new-password" value="no-ff-pwmgr-1" style="display:none;">
<input type="password" autocomplete="new-password" value="no-ff-pwmgr-2" style="display:none;">
<input type="password" autocomplete="new-password" value="no-ff-pwmgr-3" style="display:none;">
<input type="password" autocomplete="new-password" value="no-ff-pwmgr-4" style="display:none;">
<input type="hidden" id="next" name="next" value="">
</td>
Original Message:
Sent: May 17, 2024 07:21 AM
From: GorazdKikelj
Subject: disable autocomplete username and password ClearPass
Hi Andreas.
You should use ClearPass field definition in the form to block the auto-completiion:
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: May 14, 2024 12:12 PM
From: Andres_Gama
Subject: disable autocomplete username and password ClearPass
Dear Team,
Recently, we have identified a vulnerability in the autocomplete field for username and password on our website through ClearPass. Upon inspection, we noticed that the password is set as autocomplete="new-password" in the HTML text, which poses a security risk. To address this vulnerability, it is necessary to modify the text to autocomplete="off".
I would like to request guidance on the best way to make this change. Should we address it from the ClearPass server or would it be more appropriate to modify the HTML directly? I would appreciate your recommendations on the most effective and secure approach to implement this correction.
Thank you for your attention and prompt response.
Best regards,
Andres Gama