IBM RegTech Ideas Portal



Our team welcomes any feedback and suggestions you have for improving our offerings. This forum allows us to connect your product improvement ideas with IBM product and engineering teams.


For product documentation, see Knowledge Center.
Create and View Support Cases and Use the Discussion Forum here


Reminder: This is not the place to submit defects or support needs, please use normal support channel for these cases


The shorter URL for this site is:

IBMers, please visit the WFSS Internal Ideas portal


note: The IBM ICM IDEAS Portal is no longer available at this location. If you have reached this page, please look for a new link in the Varicent Administrator. Direct links are found under the "?" in the upper right corner.
A period of transition is likely to impact this service, while ICM becomes Varicent. Please contact Varicent support if you have additional challenges or concerns.

Auto Complete behaviour should be disabled in Password form fields

A number of password form fields within the application had the client-side _autocomplete_ behavior enabled.

This is a convenience feature in most browsers that lets users store passwords for different websites without having to remember them. Upon visiting a page whose password was _remembered_ by the browser, the password field will be filled in automatically for the user. This exposes two different risks:

* If the application is vulnerable to cross-site scripting an adversary could craft an XSS payload that abuses the autocompletion feature to steal stored passwords.

* An adversary with local access to the user's environment (e.g. shared office or hotel computer) would generally be able to extract stored passwords from the local cache.


* The password fields in the change password forms
  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Mar 29 2019
  • Will Not Implement
Component End User UI
Priority Low - Nice to Have
  • Attach files