Environment
Self Service Password Reset
SSPR 4.x
FireFox v38 or newer
Chrome v34 or newer
Internet Explorer 11
Situation
Browser prompts for saving passwords to the SSPR login page - is this a security vulnerability?
How to prevent FireFox from saving login to SSPR page.
Resolution
This is not a security vulnerability in SSPR. With older brower versions, setting "autocomplete=off" in a web application would prevent the browser from prompting to store credentials. This is no longer the case with modern browsers.
SSPR sets "autocomplete=off" in the login form, but it is up to the browser to honor it. Newer versions of FireFox, chrome and IE don’t honor the tag; they consider it safer to save passwords in their vault which can then be protected using a cert or a master password etc.
To disable the browser from prompting at an organizational level use a Windows Group Policy Object or Linux or MacOS script. For example, see https://github.com/mozilla/policy-templates/blob/master/README.md for instructions on setting a Windows GPO in FireFox.
Additional Information
The change in browsers to not honor autocomplete=off is documented on the Mozilla developer site. See