It is a security issue or vulnerability
CVSS 2 = 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)
A variable on the configuration of the django application can be set to
enable or disable autocompletion on the login form of the admin interface.
--
Ticket URL: <https://code.djangoproject.com/ticket/28225>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
* status: new => closed
* resolution: => invalid
Comment:
I don't believe that browsers storing login credentials is a security
issue. By the way, security issues should be
[https://docs.djangoproject.com/en/dev/internals/security/#reporting-
security-issues reported to the security team] rather than in this ticket
tracker.
--
Ticket URL: <https://code.djangoproject.com/ticket/28225#comment:1>
Comment (by Tim Graham):
In fact this issue has been reported several times to the security team.
Here's the team's response:
We intentionally leave autocomplete enabled as we believe that all modern
browsers now handle local form completion in a reasonably sane manner.
Autocomplete enables individuals to use stronger passwords and makes them
less susceptible to phishing attacks. These benefits greatly outweigh the
minor risk here. If you disagree, we encourage you to also read this post:
http://blog.0xbadc0de.be/archives/124
--
Ticket URL: <https://code.djangoproject.com/ticket/28225#comment:2>