It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How to Prevent Password Autocompletion in Confluence

Hi,

I followed the procedure and it does not sucess.
Can you help me please?

https://confluence.atlassian.com/confkb/how-to-prevent-password-autocompletion-in-confluence-941591391.html

Confluence 6.15.4

Henrique.

 

1 answer

0 votes

Hello Henrique,

Thanks for reaching out about disabling the autocomplete of passwords upon login. The functionality you’re wanting to control is mainly controlled by the browsers used by the user. While previously you were able to disable the option to autocomplete the password, with changes recently made and controlled by the browsers this is no longer available. The article you linked displays this warning like the following:

The following browsers have removed support for the use of autocomplete="off"

  • Apple Safari 6.1.6 (OS X 10.7)
  • Google Chrome 41+
  • Microsoft Edge
  • Microsoft Internet Explorer 11+
  • Mozilla Firefox 30+

As this is a design choice made by the browser's authors, there is no current work around available.

I hope this information proves helpful.

Regards,
Stephen Sifers

There's a good reason they did this by the way.  One of the best security recommendations we have is "use a different and complex password for every different account".  Humans cannot do this reliably, we need password management software, and "autocomplete = off" breaks them.  So, you actually do not want to turn it off!

Like Stephen Sifers likes this

Excuse me @Nic Brough _Adaptavist_  but I haven't  completely understood your sentence.

Do you mean we should have installed specific third part password management software, which needs (for its way to work) to find the browsers allowing for autocompletion?

The scenario we deal with is to have some users (especially customers) loggin in, allowed to read only specific Confluence pages, and I have no control on the pc/laptop or mobile configuration they're using, so the possibility to avoid autocompletion could help in some cases.

We're looking for alternatives.

Not quite.  I'm saying people should use "password safes" and when they do, you do not want to turn off auto-complete.

If people do not use password safes, you will find they use weak passwords, or write them down in insecure places.  Either way, you do not want that to happen.  Encourage them to use password safes and do not disable it.

Hi Nic, thanks for feedback.

The problem we're facing is that we'd like need to allow several users from multiple machines and mobiles, also from ouside our organization.

Of course we'll encourage the use of password safes, but what I'd like to find is to limitate in somw way the further risk of access from unknown users who might have access on a device with a common user.

We had an example from a pc with common access in one of our meeting rooms. On this pc is possible to enter as a generic "meeting-room-user" (with some limitations, but browsing the web is not one of these limitations), and from this using a browser to enter in Jira (or Confluence) as a registered user. If the user saves the password in the browser, the next person using the room might have access to Jira without the need to insert a password, just selecting the previous user name logged in.

The point is that I cannot be sure that the same situation won't happen at one of our customer's sites.

In an ideal configuration (in my mind, I don't know of this could be really the best way) I'd like to allow a selected list of internal pcs' and windows system users with some more options (maybe auto completions and/or longer timeouts) but avoiding autocompletion and reducing timeouts to the minimum for any other pc and windows user, or other device. The point is to not have the daily work to be continuously interrupted by login requests (I can't ask my collaborators to act in Confluence as if they would be dealing with their web bank), but at the same time reduce the risks when the access is done from uncontrolled devices.

Sorry for the complicate explanation, I could probably have made it shorter :-) , but it's my first experience dealing with Atlassian and now quickly moving from 25 to 50 allowed users. 

I could also consider plugins, if any could work for this.

Ciao, Andrea 

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Confluence Cloud

Bring information from GitHub into Confluence

I’ve got a couple of questions for you. Do you write technical documentation? What about technical documentation that references code and files from GitHub? In this article you will learn how to in...

32 views 0 3
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you